Which statement best describes a data classification policy?

• A. It reduces the need for password policies.
• B. It is optional and rarely used by organizations.
• C. Classifying data into levels with specific controls based on value and sensitivity improves data protection.
• D. It replaces the need for encryption.

Answer: (C)

A data classification policy works by organizing data into levels of value and sensitivity and tying protections to those levels, so more valuable data receive stronger controls. This approach means you label data (for example, public, internal, confidential, or restricted) and then apply specific handling requirements for each level, such as who can access it, how it must be stored and transmitted, retention periods, and whether encryption or special monitoring is needed. By aligning safeguards with the potential impact of exposure or loss, the organization focuses resources where risk is highest, reduces the chance of accidental disclosure, and supports compliance with regulations and standards.

The other statements miss the point: classification doesn’t make password policies disappear, nor is a policy typically optional or rarely used in real programs. It also doesn’t eliminate the need for encryption; instead, it often dictates when encryption should be applied.