ISC2 CISSP Practice Question

The correct answer is that a more granular data classification scheme enables tailored security controls based on data sensitivity. Data sensitivity may vary widely within each customer account. For instance, personal financial data may be stored in the same database as publicly available city of residence. Data classification is fundamentally about categorizing information assets based on their sensitivity and value to the organization, which allows for the implementation of appropriate security controls for each level of sensitivity. Without proper granularity, organizations risk either over-protecting low-sensitivity data (wasting resources) or under-protecting highly sensitive data (creating security vulnerabilities).

The other answers contain flaws: While regulatory compliance is important, it's not the primary purpose of data classification but rather one of several benefits. Similarly, reducing storage costs might be a side benefit but is not the main purpose of classification. And while data classification can help with incident response, suggesting it's primarily for determining breach notification requirements oversimplifies its much broader purpose in security governance.