Certified Information Systems Security Professional (CISSP) — Question 220

A hospital has three data classification levels: shareable without restrictions, shareable with restrictions, and internal use only. Which of the following BEST demonstrates adhering to principles of good enterprise data classification?

Answer options

• A. A printout of the employee code of conduct marked “shareable with restrictions” is posted in the hallway where patients have access.
• B. A printout of the employee code of conduct marked “internal use only” is posted in the waiting room.
• C. A memo regarding a newly discovered data breach marked as “internal use only” is posted on the wall in the employee lunchroom.
• D. An electronic health record (EHR) with personally identifiable information (PII) marked as “sharable with restrictions” is found in the employee lunchroom.

Correct answer: C

Explanation

Option C is correct because it appropriately restricts sensitive information to a private area where only employees can view it. The other options fail to protect sensitive data, with A and B exposing restricted or internal documents to the public, and D placing sensitive PII in an inappropriate location.