CISSP · Question #127
Which of the following MUST system and database administrators be aware of and apply when configuring systems used for storing personal employee data?
The correct answer is B. The organization's security policies and standards. When configuring systems that store personal employee data, administrators must follow the organization's security policies and standards as their primary mandatory obligation.
Question
Which of the following MUST system and database administrators be aware of and apply when configuring systems used for storing personal employee data?
Options
- ASecondary use of the data by business users
- BThe organization's security policies and standards
- CThe business purpose for which the data is to be used
- DThe overall protection of corporate resources and data
How the community answered
(63 responses)- A2% (1)
- B90% (57)
- C3% (2)
- D5% (3)
Why each option
When configuring systems that store personal employee data, administrators must follow the organization's security policies and standards as their primary mandatory obligation.
Secondary use of data by business users is a data governance and privacy concern relevant to data owners and privacy officers, not a mandatory technical configuration requirement for system and database administrators.
Security policies and standards are the formal, mandatory governance framework that system and database administrators are required to know and apply when configuring any system, especially those handling sensitive personal data. These policies define access controls, encryption requirements, audit logging, and data handling procedures that ensure compliance with both internal governance and external regulations. Administrators are directly accountable for implementing these controls as defined by the organization's security program.
The business purpose for which data is used is a consideration for data owners and privacy stewards during data classification, not a primary technical obligation imposed on system and database administrators during system configuration.
While overall protection of corporate resources is a broad organizational goal, it is not the specific, actionable, and mandatory requirement that administrators must apply; security policies and standards translate that goal into concrete configuration directives.
Concept tested: Administrator responsibility for applying organizational security policies
Source: https://www.nist.gov/publications/guidelines-role-of-security-policies-and-standards
Topics
Community Discussion
No community discussion yet for this question.