Exam CISSP topic 1 question 455 discussion

C seems to be the best option to me for stopping inadvertent exposure.

if the question is 'what should organizations do to ensure the proper handling of personally identifiable information (PII) and enforcement of PII regulations across the enterprise?' answer B or D. But it asks 'To avoid inadvertent exposure, what should ~' , employee needs training to avoid inadvertent exposure.

Inadvertent exposure= lack of knowledge/ understanding.

Answer - Employ training program Just found this additional resouce and added it to the reference list. https://www.getcerta.com/blogs/abac-framework-building-compliance-from-scratch https://www.digitalguardian.com/dskb/how-secure-pii-against-loss-or-compromise https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-162.pdf

Answer - Employ training program The reason I'm choosing employ training program is that trust agreements are between organizations, not typically used internally for one corporation and the question says "accross the enterprise" The first link specifically mentions training and the second link talks about trust agreements across the trust chain (chain being multiple corporations not a single enterprise) https://www.digitalguardian.com/dskb/how-secure-pii-against-loss-or-compromise https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-162.pdf

it is not asking about sharing PII to another organization, it is asking about handling PII by the employees of the organization that is with proper training of the employees, C

The given answer B is correct. NIST SP 800-162 states the following: "Organizations engaged in attribute sharing should employ trust agreements to ensure the proper handling of PII and enforcement of PII regulations" 3.2.1.6 Attribute Privacy Considerations page 26

Answer D) Employ regulations from leadership. You guys are forgetting that this is a CISSP question..... A,B, and C all can fall under D (Employ regulations from leadership)

B. Employ trust agreements. Trust agreements, in the context of ABAC and PII handling, are contractual agreements or policies that specify how PII should be handled, who has access to it, and under what conditions. These agreements establish trust among data custodians, data processors, and other stakeholders involved in PII management. Trust agreements can define roles, responsibilities, and the conditions under which PII can be accessed or shared.

I am going with D because the question states "attribute-based access control (ABAC)". This means that we can set access based on attributes, and those would come from management.

Ensure and enforce. You can ensure by providing training but you can only enforce with regulations.

B is correct. The key word here is enforcement. The training doesn't enforce anything.

Train the group handling privacy