A project involves handling sensitive employee information, including medical records and personal identifiers. What is the best approach to ensure this data is properly secured according to company policy?
Implement the highest level of data classification and restrict access.
Anonymize the data, which removes the need for strict access controls.
Rely on the default network security settings to protect the information.
Encrypt the data and provide the key to all project stakeholders for transparency.
Sensitive employee data, such as medical records (PHI) and personal identifiers (PII), requires the highest level of protection under data classification policies. The best practice is to implement strict data classification and restrict access to authorized personnel on a need-to-know basis, a concept known as the principle of least privilege. This ensures compliance with security standards and privacy regulations. Relying only on default network security is insufficient as it does not provide granular, data-level protection and is not considered a 'secure-by-default' strategy for sensitive data. While encrypting data is a critical control, providing the key to all stakeholders violates the principle of least privilege.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is data classification and why is it important?
Open an interactive chat with Bash
What are some common methods to restrict access to sensitive data?
Open an interactive chat with Bash
What are the potential consequences of mishandling sensitive employee information?