An auditor reviews a data classification policy that defines four levels: Public, Internal, Confidential, and Restricted. However, testing reveals that 90% of data is classified as 'Internal' with no further differentiation. What is the PRIMARY control weakness?

Home › MCQs › CISA › Question #6851

CISA QUESTION #6851

Question 1

Poorly designed classification scheme
Classification system is not providing meaningful data protection guidance✔️
Need for more classification levels
User training deficiency

Correct Answer Explanation

Over-classification or under-differentiation defeats the purpose of data classification. When most data falls into one broad category, the classification provides no useful guidance for protection requirements, access controls, or handling procedures. Effective classification must meaningfully differentiate data requiring different protection levels.

More Options