CISSP Question #989: Real Exam Question with Answer & Explanation

Question

An employee's home address should be categorized according to which of the following references?

Options

• AThe consent form terms and conditions signed by employees
• BThe organization's data classification model
• CExisting employee data classifications
• DAn organization security plan for human resources

Explanation

Data classification decisions should always be governed by the organization's formal data classification model, which defines categories and handling requirements for all types of data. An employee's home address is a type of personally identifiable information (PII) that must be categorized according to this established framework.

Common mistakes.

• A. Consent forms define what data employees agree to share and how it may be used, but they do not provide a classification taxonomy or assign security handling requirements to specific data types.
• C. Existing employee data classifications may reflect past decisions but are not a normative reference standard; they could themselves be inconsistent or outdated, making them unreliable as the basis for new classification decisions.
• D. An HR security plan addresses operational security procedures for the HR function but does not define the organization-wide data classification categories used to label and govern specific data elements like home addresses.

Concept tested. Data classification model application for PII

Reference. https://www.nist.gov/system/files/documents/2018/03/07/sp800-60v1-rev1.pdf

No community discussion yet for this question.