A data classification policy is the foundational element required to consistently assess data protection needs. This policy establishes a framework for categorizing data based on its sensitivity, criticality, and value to the enterprise (e.g., Public, Confidential, Restricted). By creating a standardized set of criteria, the policy enables data owners to make uniform and objective decisions about the appropriate level of security controls, such as access rights and encryption, that must be applied. All other data protection activities, including risk management and the implementation of specific controls, are dependent on this initial classification.

A. Data encryption program: This is a specific security control. The decision on what data to encrypt and the strength of encryption required is determined after the data has been classified.

B. Data risk management program: A risk management program assesses threats and vulnerabilities, but it requires data classification as a primary input to determine the business impact of a potential data compromise.

C. Data retention policy: This policy defines how long data is kept. While important for governance, it is typically informed by the data's classification, not the other way around.

1. ISACA

CGEIT Review Manual

8th Edition

2020. Domain 2: IT Resources

Task Statement 2.3

"Ensure that IT resources are identified and classified based on their criticality and importance to the enterprise." The supporting text explains that classification is a prerequisite for applying appropriate controls and protection measures.

2. ISACA

COBIT 2019 Framework: Governance and Management Objectives

2018. Management Objective APO14: Managed Data

Practice APO14.02

"Define and maintain data and information architecture." This practice includes activities for establishing a data classification scheme to ensure data is managed according to its value and sensitivity.

3. ISACA

CGEIT Review

Questions

Answers & Explanations Manual

5th Edition

2020. The rationale for similar questions emphasizes that data classification is the first step in a data management program

as it provides the basis for determining handling requirements

controls

and protection levels.