During a review of data privacy an internal auditor is tasked with testing management's identification and prioritization of critical data collected by the organization. Which of the following steps would accomplish this objective?
A.
interview management to determine what types of data are collected and maintained
B.
Trace data from storage to the collection sources to determine how critical data is collected and organized
C.
Review a sample of data to determine whether the risk classification is reasonable
D.
Document and test a data inventory and classification program by determining the data classification levels and framework
The step that would accomplish the objective of testing management's identification and prioritization of critical data collected by the organization is to document and test a data inventory and classification program by determining the data classification levels and framework. This involves verifying that management has established a comprehensive data inventory and that data classification processes are in place and effectively implemented. It ensures that data is appropriately categorized based on its criticality and sensitivity, aligning with the organization’s risk management framework and data governance policies.References: IIA's Global Technology Audit Guide (GTAG) on Data Privacy and Protection, which outlines best practices for data classification and management.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit