Certified Information Security Manager (CISM) — Question 531

Which of the following should be of MOST concern to an information security manager reviewing an organization's data classification program?

Answer options

• A. The classifications do not follow industry best practices.
• B. Labeling is not consistent throughout the organization.
• C. The program allows exceptions to be granted.
• D. Data retention requirements are not defined.

Correct answer: B

Explanation

The correct answer is B because inconsistent labeling can lead to confusion and mismanagement of sensitive data, making it harder to enforce security measures. While the other options raise valid concerns, they are less critical than the impact of inconsistent labeling on data handling and protection.