The information classification scheme should:

A.
consider possible impact of a security breach.

B.
classify personal information in electronic form.

C.
be performed by the information security manager.

D.
classify systems according to the data processed.

Explanation:
Data classification is determined by the business risk, i.e., the potential impact on the business of the loss, corruption or disclosure of information. It must be applied to information in all forms, both electronic and physical (paper), and should be applied by the data owner, not the security manager. Choice B is an incomplete Answer because it addresses only privacy issues, while choice A is a more complete response. Systems are not classified per se, but the data they process and store should definitely be classified.