You have been just officially endorsed as a CISSP and got promoted as the CISO. To meet legal and regulatory requirements, you issued a policy to direct and sponsor the data governance program. Which of the following should be conducted first? (Source: Wentz QOTD)
A. Classify data
B. Scope and tailor security controls
C. Take inventory
D. Develop an information security strategy
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Take inventory.
The data governance program can be part of the information security strategy. Since you have issued a (program) policy to direct and sponsor the data governance program, it implies the information security strategy is developed and you don’t have to develop one again.
If you don’t know how much or how many types of data you have, how do you classify data? You have to take inventory first so that you can classify them to determine how to protect different types of data. The following is the suggested sequence:
- Develop an information security strategy
- Take inventory
- Classify data
- Scope and tailer security controls
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.