A security architect is designing a data-protection program for a global enterprise. Before selecting encryption, DLP, and access-control mechanisms for various repositories, the architect needs a structured process to sort customer PII, engineering trade secrets, internal memos, and public marketing assets into categories such as Public, Internal, Confidential, and Restricted based on business impact and regulatory obligations. Which of the following processes should the architect perform FIRST to enable selection of the appropriate safeguards?
Data classification - assigning sensitivity labels to information according to business value and regulatory requirements.
Data discovery - scanning repositories to locate and inventory information assets.
Data retention - defining how long information must be stored and when it should be disposed.
Data tokenization - substituting sensitive fields with irreversible surrogate values.
Data classification is the formal process of assigning sensitivity labels (for example, Public, Internal, Confidential, or Restricted) to information based on its value, regulatory obligations, and potential impact if disclosed. Once data is classified, the organization can map the proper security controls-encryption, access restrictions, retention periods, and so on-to each category. The other options occur at different stages or serve different purposes: data discovery inventories the locations of information but does not assign sensitivity labels; data tokenization substitutes sensitive fields with surrogate values after classification decisions have been made; data retention policies dictate how long information is stored and when it is destroyed, which is also guided by the results of classification.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of assigning safeguards based on file significance?
Open an interactive chat with Bash
How does data classification differ from user behavior monitoring?
Open an interactive chat with Bash
What role do regulatory requirements play in safeguarding classified data?