Certified Information Security Manager (CISM) — Question 742

Which of the following should be done FIRST when establishing a new data protection program that must comply with applicable data privacy regulations?

Answer options

• A. Encrypt all personal data stored on systems and networks.
• B. Evaluate privacy technologies required for data protection.
• C. Create an inventory of systems where personal data is stored.
• D. Update disciplinary processes to address privacy violations.

Correct answer: C

Explanation

The correct answer is C because creating an inventory of systems is essential to understand where personal data resides, which is a critical first step in compliance. Options A and B are important but come after assessing the current state of data storage. Option D is also necessary but should follow the establishment of data handling practices.