Importance of Implementing Data Classification for Online Retailers | IS Auditor's Next Step

B.

The correct answer is B. determine existing controls around sensitive data.

Explanation: When the IS auditor determines that an online retailer processing credit card information does not have a data classification process, the next step should be to determine the existing controls around sensitive data. This step is necessary to understand the current state of controls and identify any gaps in the protection of sensitive information.

Without understanding the existing controls, it is difficult to make meaningful recommendations for improvements. For example, recommending encryption of all sensitive data at rest may not be appropriate if encryption is already in place. Similarly, recommending the implementation of data loss prevention (DLP) tools may not be necessary if effective controls are already in place.

Therefore, the first step for an IS auditor in this scenario should be to determine the existing controls around sensitive data. This may involve reviewing policies and procedures, conducting interviews with key personnel, and reviewing technical controls such as firewalls and access controls. Based on this review, the auditor can identify any gaps in the protection of sensitive data and make appropriate recommendations for improvement.

Inquiring about data loss incidents (option D) may be useful, but it should not be the first step. Understanding the existing controls should be the initial focus, as it provides a more comprehensive view of the protection of sensitive data.