nerdexam
(ISC)2

CISSP · Question #795

A hospital has three data classification levels: shareable without restrictions, shareable with restrictions, and internal use only. Which of the following BEST demonstrates adhering to principles of

The correct answer is C. A memo regarding a newly discovered data breach marked as "internal use only" is posted on the. Good data classification ensures that sensitive information is labeled appropriately and access is controlled based on the classification level assigned to that data.

Submitted by klara.se· Mar 5, 2026Asset Security

Question

A hospital has three data classification levels: shareable without restrictions, shareable with restrictions, and internal use only. Which of the following BEST demonstrates adhering to principles of good enterprise data classification?

Options

  • AA printout of the employee code of conduct marked "shareable with restrictions" is posted in the
  • BA printout of the employee code of conduct marked "internal use only" is posted in the waiting
  • CA memo regarding a newly discovered data breach marked as "internal use only" is posted on the
  • DAn electronic health record (EHR) with personally identifiable information (PII) marked as

How the community answered

(35 responses)
  • A
    6% (2)
  • B
    11% (4)
  • C
    80% (28)
  • D
    3% (1)

Why each option

Good data classification ensures that sensitive information is labeled appropriately and access is controlled based on the classification level assigned to that data.

AA printout of the employee code of conduct marked "shareable with restrictions" is posted in the

Posting an employee code of conduct labeled 'shareable with restrictions' in a public waiting room violates the classification policy, as a restricted document should not be freely visible to non-employees or the general public.

BA printout of the employee code of conduct marked "internal use only" is posted in the waiting

An employee code of conduct is generally an internal policy document that could reasonably be shared in restricted contexts, but labeling it 'internal use only' and then posting it in a public waiting room contradicts the classification by exposing it to unauthorized viewers.

CA memo regarding a newly discovered data breach marked as "internal use only" is posted on theCorrect

A memo about a newly discovered data breach is highly sensitive operational security information that could cause harm if disclosed externally, so classifying it as 'internal use only' is appropriate. Posting it on an internal staff bulletin board (accessible only to employees) correctly aligns the data's sensitivity level with its access controls. This demonstrates proper classification by restricting a sensitive document to only those within the organization who need to know.

DAn electronic health record (EHR) with personally identifiable information (PII) marked as

Electronic health records containing PII are among the most sensitive data types and should be classified at the highest restriction level; marking EHR/PII data as anything less than the most restrictive classification (e.g., 'shareable without restrictions') would violate data classification principles and regulatory requirements like HIPAA.

Concept tested: Enterprise data classification and appropriate data handling

Source: https://www.nist.gov/system/files/documents/2020/03/26/NIST%20SP%20800-60%20Vol%201%20Rev%201.pdf

Topics

#data classification#sensitive data#information protection#PII

Community Discussion

No community discussion yet for this question.

Full CISSP Practice