nerdexam
(ISC)2

CISSP · Question #1221

What is the FIRST step that should be considered in a Data Loss Prevention (DLP) program?

The correct answer is D. Data classification. Before any DLP controls can be designed or enforced, an organization must first understand what data it has and how sensitive it is, making data classification the foundational first step.

Submitted by viktor_hu· Mar 5, 2026Asset Security

Question

What is the FIRST step that should be considered in a Data Loss Prevention (DLP) program?

Options

  • AConfiguration management (CM)
  • BInformation Rights Management (IRM)
  • CPolicy creation
  • DData classification

How the community answered

(58 responses)
  • A
    5% (3)
  • B
    3% (2)
  • C
    10% (6)
  • D
    81% (47)

Why each option

Before any DLP controls can be designed or enforced, an organization must first understand what data it has and how sensitive it is, making data classification the foundational first step.

AConfiguration management (CM)

Configuration management addresses maintaining secure and consistent system settings, but it is a technical control that comes after data has been classified and policies have been defined, not before.

BInformation Rights Management (IRM)

Information Rights Management enforces access and usage controls on classified data, but it is a protective mechanism applied after data has already been identified and categorized through classification.

CPolicy creation

Policy creation is an essential DLP step, but policies can only be written effectively after data has been classified, because the policies must reference specific data types and sensitivity levels to be actionable.

DData classificationCorrect

Data classification is the first step in a DLP program because you must identify and categorize data by its sensitivity level (e.g., public, internal, confidential, restricted) before you can determine what needs protection. Without knowing what data exists and its relative value or risk, you cannot create meaningful policies, apply rights management, or configure technical controls. All subsequent DLP activities depend on this foundational inventory and labeling effort.

Concept tested: DLP program foundation and data classification priority

Source: https://www.nist.gov/system/files/documents/2017/05/09/nist_800-60_vol1-rev1.pdf

Topics

#Data Loss Prevention (DLP)#Data classification#Information lifecycle management

Community Discussion

No community discussion yet for this question.

Full CISSP Practice