CISSP · Question #795
A hospital has three data classification levels: shareable without restrictions, shareable with restrictions, and internal use only. Which of the following BEST demonstrates adhering to principles of
The correct answer is C. A memo regarding a newly discovered data breach marked as "internal use only" is posted on the. Good data classification ensures that sensitive information is labeled appropriately and access is controlled based on the classification level assigned to that data.
Question
A hospital has three data classification levels: shareable without restrictions, shareable with restrictions, and internal use only. Which of the following BEST demonstrates adhering to principles of good enterprise data classification?
Options
- AA printout of the employee code of conduct marked "shareable with restrictions" is posted in the
- BA printout of the employee code of conduct marked "internal use only" is posted in the waiting
- CA memo regarding a newly discovered data breach marked as "internal use only" is posted on the
- DAn electronic health record (EHR) with personally identifiable information (PII) marked as
How the community answered
(35 responses)- A6% (2)
- B11% (4)
- C80% (28)
- D3% (1)
Why each option
Good data classification ensures that sensitive information is labeled appropriately and access is controlled based on the classification level assigned to that data.
Posting an employee code of conduct labeled 'shareable with restrictions' in a public waiting room violates the classification policy, as a restricted document should not be freely visible to non-employees or the general public.
An employee code of conduct is generally an internal policy document that could reasonably be shared in restricted contexts, but labeling it 'internal use only' and then posting it in a public waiting room contradicts the classification by exposing it to unauthorized viewers.
A memo about a newly discovered data breach is highly sensitive operational security information that could cause harm if disclosed externally, so classifying it as 'internal use only' is appropriate. Posting it on an internal staff bulletin board (accessible only to employees) correctly aligns the data's sensitivity level with its access controls. This demonstrates proper classification by restricting a sensitive document to only those within the organization who need to know.
Electronic health records containing PII are among the most sensitive data types and should be classified at the highest restriction level; marking EHR/PII data as anything less than the most restrictive classification (e.g., 'shareable without restrictions') would violate data classification principles and regulatory requirements like HIPAA.
Concept tested: Enterprise data classification and appropriate data handling
Source: https://www.nist.gov/system/files/documents/2020/03/26/NIST%20SP%20800-60%20Vol%201%20Rev%201.pdf
Topics
Community Discussion
No community discussion yet for this question.