Certified Information Systems Auditor (CISA) — Question 990

During an IS audit, it is discovered that data classification rules are often ignored by programmers developing in-house software. Which of the following recommendations would BEST mitigate the risk in this situation?

Answer options

• A. Revise the organization's data classification policy.
• B. Require application owners to classify data used by programmers.
• C. Ensure code reviews include data classification checks.
• D. Prevent programmers from accessing sensitive data during development.

Correct answer: C

Explanation

The correct answer is C because including data classification checks in code reviews ensures that any oversight is caught before deployment, enhancing compliance. Options A and B do not directly address the behavior of programmers, while option D could hinder development efficiency without resolving the underlying issue of non-compliance.