Once the types of information have been identified, who should an information security practitioner work with to ensure that the information is properly categorized?
Correct Answer: A
The information security practitioner should work with the information owner (IO) to ensure that the information is properly categorized. The information owner is the person or the entity that has the authority and the responsibility for the information, such as the creation, classification, maintenance, use, and disposal of the information. The information owner is also accountable for the security and the protection of the information, such as the confidentiality, integrity, and availability of the information. The information security practitioner is the person or the entity that provides the expertise and the guidance for the implementation and the enforcement of the security policies and the controls for the information. The information security practitioner should work with the information owner to ensure that the information is properly categorized, as the information owner knows the value, the sensitivity, and the criticality of the information, and the information security practitioner knows the security requirements, the standards, and the best practices for the information. The information categorization is the process of assigning labels or tags to the information based on the predefined criteria, such as the impact level, the risk level, or the regulatory compliance. The information categorization can help determine the appropriate security measures and the access controls for the information, and facilitate the information management and the information sharing. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, page 9. CISSP Practice Exam | Boson, Question 10.