nerdexam
(ISC)2

CISSP · Question #127

Which of the following MUST system and database administrators be aware of and apply when configuring systems used for storing personal employee data?

The correct answer is B. The organization's security policies and standards. When configuring systems that store personal employee data, administrators must follow the organization's security policies and standards as their primary mandatory obligation.

Submitted by asante_acc· Mar 5, 2026Security and Risk Management

Question

Which of the following MUST system and database administrators be aware of and apply when configuring systems used for storing personal employee data?

Options

  • ASecondary use of the data by business users
  • BThe organization's security policies and standards
  • CThe business purpose for which the data is to be used
  • DThe overall protection of corporate resources and data

How the community answered

(63 responses)
  • A
    2% (1)
  • B
    90% (57)
  • C
    3% (2)
  • D
    5% (3)

Why each option

When configuring systems that store personal employee data, administrators must follow the organization's security policies and standards as their primary mandatory obligation.

ASecondary use of the data by business users

Secondary use of data by business users is a data governance and privacy concern relevant to data owners and privacy officers, not a mandatory technical configuration requirement for system and database administrators.

BThe organization's security policies and standardsCorrect

Security policies and standards are the formal, mandatory governance framework that system and database administrators are required to know and apply when configuring any system, especially those handling sensitive personal data. These policies define access controls, encryption requirements, audit logging, and data handling procedures that ensure compliance with both internal governance and external regulations. Administrators are directly accountable for implementing these controls as defined by the organization's security program.

CThe business purpose for which the data is to be used

The business purpose for which data is used is a consideration for data owners and privacy stewards during data classification, not a primary technical obligation imposed on system and database administrators during system configuration.

DThe overall protection of corporate resources and data

While overall protection of corporate resources is a broad organizational goal, it is not the specific, actionable, and mandatory requirement that administrators must apply; security policies and standards translate that goal into concrete configuration directives.

Concept tested: Administrator responsibility for applying organizational security policies

Source: https://www.nist.gov/publications/guidelines-role-of-security-policies-and-standards

Topics

#security policies#data handling#personal data#administrative awareness

Community Discussion

No community discussion yet for this question.

Full CISSP Practice