The most important consideration when storing and processing PII is to adhere to the collection limitation laws and regulations that apply to the jurisdiction and context of the data processing.Collection limitation is a principle that states that PII should be collected only for a specific, legitimate, and lawful purpose, and only to the extent that is necessary for that purpose1. By following this principle, the data processor can minimize the amount of PII that is stored and processed, and reduce the risk of data breaches, misuse, or unauthorized access.Encrypting and hashing all PII, storing PII for no more than one year, and avoiding storing PII in a cloud service provider are also good practices for protecting PII, but they are not as important as adhering to the collection limitation laws and regulations.Reference:1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, page 290.

A federated identity standard is Security Assertion Markup Language (SAML). SAML is a standard that enables the exchange of authentication and authorization information between different parties, such as service providers and identity providers, using XML-based messages called assertions. SAML can facilitate the single sign-on (SSO) process, which allows a user to access multiple services or applications with a single login session, without having to provide their credentials multiple times. SAML can also support the federated identity management, which allows a user to use their identity or credentials from one domain or organization to access the services or applications from another domain or organization, without having to create or maintain separate accounts. 802.11i, Kerberos, and LDAP are not federated identity standards, as they are related to the wireless network security, the network authentication protocol, or the directory service protocol, not the exchange of authentication and authorization information between different parties.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, Identity and Access Management, page 692.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, Identity and Access Management, page 708.

The principal task that the architect should undertake for building a platform to distribute music to thousands of users on a global scale is to establish a media caching methodology. A platform is a type of software or system that provides the foundation or the infrastructure for developing, running, or delivering other software or applications, such as music distribution. A platform can provide various benefits, such as facilitating or enabling the creation, operation, or delivery of the software or applications, and enhancing the functionality, performance, or usability of the software or applications. A platform can also pose various challenges or issues, such as scalability, availability, or latency. A media caching methodology is a type of technique or approach that involves storing or saving the copies or the versions of the media content or data, such as music, on various locations or servers that are closer or nearer to the users or the customers, and that are connected or linked to a network or a service, such as a content delivery network (CDN). A media caching methodology can provide various benefits, such as improving or optimizing the distribution, delivery, or access of the media content or data, and reducing the bandwidth, cost, or time of the distribution, delivery, or access of the media content or data. Establishing a media caching methodology is the principal task that the architect should undertake for building a platform to distribute music to thousands of users on a global scale, as it can address or solve the challenges or issues of the platform, such as scalability, availability, or latency, and as it can ensure or enhance the quality, efficiency, or effectiveness of the platform .Reference: [CISSP CBK, Fifth Edition, Chapter 3, page 241]; [CISSP Practice Exam -- FREE 20 Questions and Answers, Question 15].

According to the CISSP CBK Official Study Guide1, the primary purpose of accreditation is to allow senior management to make an informed decision regarding whether to accept the risk of operating the system. Accreditation is the process of formally authorizing a system to operate based on the results of the security assessment and the risk analysis. Accreditation is a management responsibility that involves evaluating the security posture, the residual risk, and the compliance status of the system, and determining if the system is acceptable to operate within the organization's risk tolerance.Accreditation does not necessarily mean that the system complies with applicable laws and regulations, protects the organization's sensitive data, or verifies that all security controls have been implemented properly and are operating in the correct manner, although these may be factors that influence the accreditation decision.Reference:1

Risk tolerance is the factor that mandates the amount and complexity of security controls applied to a security risk. Risk tolerance is the degree of risk that an organization or an individual is willing to accept or bear, based on their objectives, expectations, and capabilities. Risk tolerance can be influenced by various factors, such as the organizational culture, the regulatory environment, the stakeholder interests, the cost-benefit analysis, and the risk appetite. Risk tolerance can help to determine the acceptable level of residual risk and the appropriate risk response for each risk scenario. Security controls are the measures or actions that are implemented to reduce the risk to an acceptable level, or to transfer, avoid, or accept the risk. Security controls can be classified into different types, such as administrative, technical, physical, preventive, detective, corrective, deterrent, or compensating. Security controls can also be categorized into different levels, such as management, operational, or technical. The amount and complexity of security controls applied to a security risk depend on the risk tolerance of the organization or the individual, as well as the risk assessment results and the security requirements. Security vulnerabilities, risk mitigation, and security staff are not the factors that mandate the amount and complexity of security controls applied to a security risk, although they are related or relevant concepts. Security vulnerabilities are the weaknesses or flaws in the assets, systems, or processes that can be exploited by the threats to cause harm or damage. Security vulnerabilities can increase the risk level and the need for security controls. Risk mitigation is the process of selecting and implementing the appropriate security controls to reduce the risk to an acceptable level, or to transfer, avoid, or accept the risk. Risk mitigation is based on the risk tolerance and the risk assessment results. Security staff are the personnel who are responsible for planning, implementing, maintaining, and monitoring the security controls and processes within an organization. Security staff can affect the quality and effectiveness of the security controls.