CISSP · Question #1221
What is the FIRST step that should be considered in a Data Loss Prevention (DLP) program?
The correct answer is D. Data classification. Before any DLP controls can be designed or enforced, an organization must first understand what data it has and how sensitive it is, making data classification the foundational first step.
Question
What is the FIRST step that should be considered in a Data Loss Prevention (DLP) program?
Options
- AConfiguration management (CM)
- BInformation Rights Management (IRM)
- CPolicy creation
- DData classification
How the community answered
(58 responses)- A5% (3)
- B3% (2)
- C10% (6)
- D81% (47)
Why each option
Before any DLP controls can be designed or enforced, an organization must first understand what data it has and how sensitive it is, making data classification the foundational first step.
Configuration management addresses maintaining secure and consistent system settings, but it is a technical control that comes after data has been classified and policies have been defined, not before.
Information Rights Management enforces access and usage controls on classified data, but it is a protective mechanism applied after data has already been identified and categorized through classification.
Policy creation is an essential DLP step, but policies can only be written effectively after data has been classified, because the policies must reference specific data types and sensitivity levels to be actionable.
Data classification is the first step in a DLP program because you must identify and categorize data by its sensitivity level (e.g., public, internal, confidential, restricted) before you can determine what needs protection. Without knowing what data exists and its relative value or risk, you cannot create meaningful policies, apply rights management, or configure technical controls. All subsequent DLP activities depend on this foundational inventory and labeling effort.
Concept tested: DLP program foundation and data classification priority
Source: https://www.nist.gov/system/files/documents/2017/05/09/nist_800-60_vol1-rev1.pdf
Topics
Community Discussion
No community discussion yet for this question.