Certified Information Systems Auditor (CISA) — Question 893

An IS auditor is evaluating an enterprise resource planning (ERP) migration from local systems to the cloud. Who should be responsible for the data classification in this project?

Answer options

• A. Information security officer
• B. Data architect
• C. Database administrator (DBA)
• D. Information owner

Correct answer: D

Explanation

The information owner is responsible for determining how data should be classified based on its sensitivity and business value, making them the appropriate choice for this task. The information security officer focuses on overall security policies, the data architect designs data frameworks, and the DBA manages databases but does not classify data.