Assessing Risk of Unstructured Data

D.

When assessing the risk associated with unstructured data, an IS auditor's first action should be to identify the repositories of unstructured data. Therefore, option C is the correct answer.

Unstructured data refers to data that has no predefined data model or organization, such as email messages, social media posts, word processing documents, spreadsheets, images, and videos. Unstructured data is often difficult to manage and secure, making it vulnerable to theft, loss, or misuse.

The first step in assessing the risk associated with unstructured data is to identify where the unstructured data resides. This includes identifying the physical and logical locations of the data, such as servers, databases, file systems, and network shares. This also includes identifying who owns the data and who has access to it.

Once the repositories of unstructured data are identified, an IS auditor can then perform a risk assessment to determine the potential risks and impacts associated with the data. This includes evaluating the confidentiality, integrity, and availability of the data, as well as the potential risks of unauthorized access, modification, or destruction.

After the risk assessment, appropriate security controls can be implemented to mitigate the identified risks. These may include implementing user access controls, strong encryption, or data classification tools, as suggested in the other answer options. However, these controls should only be implemented after the risk assessment, and only if they are deemed necessary and effective in mitigating the identified risks.