CISSP Exam - Question 403

The correct answer is B. Classification. Classification is the first step in the information governance lifecycle, as it helps to identify what data an organization has, how sensitive it is, and how it should be handled. The other options are not the first step in the information governance lifecycle. Owner is the person or entity that has the authority and responsibility for the data, but it is not necessarily assigned before classification. Custodian is the person or entity that has the operational responsibility for the data, but it is not necessarily assigned before classification. Retention is the process of keeping or deleting data based on its value and legal requirements, but it is not the first step in the information governance lifecycle.

B. Classification Assigning a classification is the first step to ensure proper governance of information throughout the lifecycle. Classification helps to determine the appropriate level of protection that information requires based on its sensitivity and criticality. This then informs the appropriate owner, custodian, retention, and disposal requirements. Therefore, classification is the foundation for effective information governance.

Fist you must have a data owner, and that person classifies the data as appropriate.

In establishing proper governance of information throughout its lifecycle, the FIRST assignment is typically the Owner. The owner is responsible for making decisions regarding the data, including its classification, assigning custodianship, determining retention requirements, and overseeing its overall management.

The owner, he is the responsible for classifying the data

Owner decides/determines classification.

I can't make up my mind between Owner or Classification. I want to say Owner, because Owners assign the classification. Maybe I'm thinking too technically.

Chicken and Egg question. Oh my. I would say the owner does the classification. But is an owner assigned? and then by who, Custodian? Then who assigns the custodian? I really dislike questions like this.

I go with B it may be difficult to identify the appropriate owner without first classifying the information. In some organizations is not the owner who classifies the information, it can be information security team, a data governance team or a records management team.

Assigning ownership of information is critical to ensuring that the information is properly managed, protected, and governed. When someone is designated as the owner of the information, they are responsible for defining and implementing the policies, procedures, and controls necessary to ensure the confidentiality, integrity, and availability of the information.

The data owner sometimes refer to as the organizational owner or senior manager is the person who has the ultimate organizational responsibility for data, the owner is typically the chief executive officer (CEO), president or a department head (DH). Data owners identify the classification of data and ensure that it is labeled properly.. in that case the first thing to assign is classification. my point is you dont assign the organizational owner.

It has to start with owner

Data owner determines classification

B seems the correct anwer

A. Owner ..........You have to assign a data owner first before you classify the data. Data classification is essential but can only happen after a data owner has been assigned. This is because the Data Owner plays a decisive role in the data classification process.

Answer A) Owner https://ieeexplore.ieee.org/document/9822707#:~:text=The%20data%20owner%20will%20be%20identified%20in%20the%20Create%20phase

A data owner has the major repsonsibility of setting policies and guidelines for data set usage. Polices = governance.