You have been tasked to develop an effective information classification program. Which one of the following
steps should be performed FIRST?

A.
Establish procedures for periodically reviewing the classification and ownership

B.
Specify the security controls required for each classification level

C.
Identify the data custodian who will be responsible for maintaining the security level of data

D.
Specify the criteria that will determine how data is classified

Explanation:
The following outlines the first three necessary steps for a proper classification program:
1. Define classification levels.
2. Specify the criteria that will determine how data are classified.
3. Identify data owners who will be responsible for classifying data
Steps 4-10 omitted.
Incorrect Answers:
A: Establishing procedures for periodically reviewing the classification and ownership is not one of the first
steps in the classification program. It is one of the last steps (step 8 out of 10).
B: Specifying the security controls required for each classification level is not one of the first steps in the
classification program. It is step 5 out of 10.
C: Identifying the responsible data custodian level is not one of the first steps in the classification program. It is
step 4 out of 10.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 114