An information classification framework is the most effective tool for standardizing how sensitive corporate data is handled. This framework establishes categories for data based on its level of sensitivity, criticality, and value to the enterprise (e.g., Public, Internal, Confidential, Restricted). For each category, it defines specific, mandatory handling procedures for creation, storage, transmission, and destruction. This ensures that data is protected consistently and appropriately across the enterprise, directly fulfilling the objective of standardization. The framework provides the granular, actionable rules needed to implement the high-level goals of security and risk policies.

B. Enterprise risk policy: This is a high-level document that states the organization's overall intent and direction for managing risk; it does not provide specific, standardized data handling procedures.

C. Enterprise risk management (ERM) framework: An ERM framework provides a broad structure to identify and manage all types of enterprise risks, but it is not the specific tool for standardizing data handling rules.

D. Information security policy: While this policy mandates the protection of information, the classification framework is the specific component within it that operationalizes and standardizes how different types of data are handled.

1. ISACA

CGEIT Review Manual

8th Edition (2020). Domain 4: Information Resources Optimization

Task Statement 4.02

states the need to "Ensure that information/data is classified in terms of criticality and sensitivity." The supporting text explains that this classification is essential to determine the required level of protection and appropriate handling procedures.

2. ISACA

COBIT 2019 Framework: Governance and Management Objectives (2018). Management Objective APO14

Managed Data

Practice APO14.02

"Define and implement a data classification scheme." The description states that this practice is necessary to "ensure that data is handled (e.g.

stored

archived

destroyed

accessed) according to its classification." This directly links classification to standardized handling.

3. ISACA

COBIT 2019 Framework: Governance and Management Objectives (2018). Management Objective APO14

Managed Data

Practice APO14.03

"Manage the data life cycle." This practice explicitly requires enterprises to "Define and implement procedures for data handling

including labeling

handling

storage

retention

retrieval and secure disposal

according to classification."