nerdexam
ExamsCERTIFIED-IN-CYBERSECURITYQuestions#205
(ISC)2(ISC)2

CERTIFIED-IN-CYBERSECURITY · Question #205

CERTIFIED-IN-CYBERSECURITY Question #205: Real Exam Question with Answer & Explanation

The correct answer is C: Need to know. Need to know is a security principle ensuring that access to sensitive or personally identifiable information (PII) is granted only to individuals who need it to perform their job duties (see ISC2 Study Guide, Chapter 3, Module 1). This access is limited to the essential informat

Access Controls Concepts

Question

How is personally identifiable information (PII) access limited to only essential information?

Options

  • AContext-dependent control
  • BSeparation of duties
  • CNeed to know
  • DConstrained interfaces

Explanation

Need to know is a security principle ensuring that access to sensitive or personally identifiable information (PII) is granted only to individuals who need it to perform their job duties (see ISC2 Study Guide, Chapter 3, Module 1). This access is limited to the essential information required for the individual's job function, not the entire dataset. Imagine a hospital's electronic health record (EHR) system is designed to implement the principle of "need to know" to protect patients' personally identifiable information (PII). Whenever a nurse logs into the EHR system, they can only access patient data for those patients currently assigned to their care. They do not have access to the records of patients not under their care, as they do not "need to know" that information to do their job. Similarly, an administrative staff member responsible for billing might only have access to the insurance and billing information of patients. They do not have access to the patient's medical history or diagnoses, as they do not "need to know" that information to complete their billing tasks. On the other hand, a doctor would have wider access to patient data, including medical history, diagnosis, and treatment plans, for the patients they are treating. They still do not have access to the billing or insurance information as it's not necessary for providing medical care. This setup demonstrates the "need to know" principle in action, where access to PII is limited to only the information essential for each individual's specific job role. Regarding the other options, separation of duties is a principle that requires multiple individuals to participate in a task, with each person assigned to a different role. Constrained interfaces limit what the user can do within the application, and context- dependent control provides access based on the context of the

Topics

#Access Control#Need to Know Principle#PII Protection#Data Privacy

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CERTIFIED-IN-CYBERSECURITY PracticeBrowse All CERTIFIED-IN-CYBERSECURITY Questions