Exam 200-201 topic 1 question 170 discussion

Many regulations as well as the United States government require organizations to identify personally identifiable information (PII) and protected health information (PHI) and handle them in a secure manner. Unauthorized release or loss of such data could result in severe fines and penalties for the organization. Given the importance of PII and PHI, regulators and the government want to oversee the usage more efficiently. This section explains what PII and PHI are. based on page 158, section PERSONALLY IDENTIFIABLE INFORMATION AND PROTECTED HEALTH INFORMATION of: Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide by Omar Santos

The category that relates to improper use or disclosure of personally identifiable information (PII) data is the compliance category. Compliance refers to adhering to legal and regulatory requirements, as well as internal policies and procedures, to protect sensitive data and ensure the confidentiality, integrity, and availability of information. Compliance requirements often include data protection regulations that mandate how PII data should be collected, stored, and processed, and require organizations to take measures to prevent unauthorized access or disclosure of PII.

The improper use or disclosure of Personally Identifiable Information (PII) data is a regulated issue. NIST SP 800-53 and SP 800-171 provide specific guidelines for protecting PII data, including security requirements for non-federal information systems and organizations that process, store, or transmit Controlled Unclassified Information (CUI), which includes PII data. These guidelines address areas such as access control, incident response, and media protection, and aim to ensure the confidentiality, integrity, and availability of PII data. Organizations are expected to comply with these regulations and guidelines, and failure to do so may result in legal consequences.

What are question: I would flag this in a Cisco exam. Key word here is "improper" and still PII data is "regulated" if you dont "comply" then "legal" ramifications will follow the organisation.

I think legal is the correct answer aswell: An organization that is subject to any obligations to protect PII should consider such obligations when determining the PII confidentiality impact level. Many organizations are subject to laws, regulations, or other mandates36 governing the obligation to protect personal information,37 such as the Privacy Act of 1974, OMB memoranda, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Additionally, some Federal agencies, such as the Census Bureau and the Internal Revenue Service (IRS), are subject to additional specific legal obligations to protect certain types of PII.

"A" should be correct. With GDPR (General Data Protection Regulation) I believe is Legal. The other alternative are mere consequences. But.... For certification exam, I believe "C" is the right alternative, because inside the companies this information is Regulated.

Seems to me that the correct answer is 'compliance', as compliance must be maintained for all applicable laws, regulations, and contracts.

PII is related to compliance requirement. This question is not clear. When it comes to PII, its about collection minimization and storing the collected data securely such as encryption or use tokenization therefore this is a compliance requirement.