Which of the following is NOT listed as a best practice for protecting sensitive information within an organization?

The key idea is distinguishing data protection measures from authentication controls. Data classification, encryption, and access controls are direct ways to safeguard the data itself: classifying what needs protection, encrypting it so it remains unread if accessed, and enforcing who can access it. Password complexity, while helpful for securing user accounts, centers on authentication rather than protecting the data per se. Even with complex passwords, data can still be exposed if credentials are compromised, stolen, or reused elsewhere. Modern practice emphasizes stronger authentication approaches (like multi-factor authentication and use of long, memorable passphrases with password managers) over relying solely on password complexity rules. So password complexity isn’t typically listed as a primary data-protection best practice, whereas the other three are.