Exam CISSP topic 1 question 279 discussion

Agree with D, data classification is paramount for the organization.

It should be D - Data Classification Policy

I think it's C because this exam is supposed to be from a management level. D is a technical control. C is the corresponding administrative control. You can have data classification, but if your employees don't know how to use it, it may not do anything. You can implement automated data classification, but that's not what the question says.

D. A proper classification policy will cover user training

D. Implement a data classification policy. A data classification policy is essential for categorizing and labeling data based on its sensitivity and criticality. It helps organizations identify which data should be treated as confidential or restricted and which can be shared publicly. By classifying data appropriately, the organization can establish clear guidelines for handling, sharing, and protecting data.

What if the employee has the right to access data?

D. Implement a data classification policy. The primary step an organization must take to ensure data is properly protected from public release is to implement a data classification policy. This policy should clearly define what data is considered sensitive or confidential and establish guidelines for handling, storing, and sharing that data. Once the data has been properly classified, the organization can then take appropriate measures to secure it, such as implementing access controls, data encryption, and regular auditing to ensure compliance with the policy. In addition, user training on data classification and handling policies is also important to raise awareness and to make sure all employees understand their responsibilities in protecting the organizational data.

According to the question about the data public release, i think the problem is not about the data but is the users

even if you train the employees, they will still make mistakes. I would exclude option C. Option D is better.

Data Classification supports all other elements of the Information Lifecycle (CSUSAD) but also can see here via elimination i.e. how would employees know what to report, encrypt or handle with special care if data is not classified?

The given answer is CORRECT!!!!!

True. D is the answer because why train employees on something you havent classified yet.

The PRIMARY step is to classified the data.