Certified in Risk and Information Systems Control (CRISC) — Question 228

Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

Answer options

• A. Conduct an awareness program for data owners and users
• B. Maintain and review the classified data inventory
• C. Implement mandatory encryption on data
• D. Define and implement a data classification policy

Correct answer: D

Explanation

The correct answer, D, is crucial as establishing a data classification policy provides the framework for identifying and categorizing data based on its sensitivity. This step is essential before implementing other measures like encryption or conducting awareness programs, as it lays the groundwork for understanding what data needs protection. The other options, while important, are secondary actions that rely on having a classification policy in place.