nerdexam
Isaca

CDPSE · Question #125

An organization must de-identify its data before it is transferred to a third party. Which of the following should be done FIRST?

The correct answer is C. Determine the categories of personal data collected. Determining the categories of personal data collected must come first because de-identification cannot be performed without knowing what personal data exists. You must understand the data landscape - what identifiers are present, what categories of sensitive data are involved - b

Data Life Cycle

Question

An organization must de-identify its data before it is transferred to a third party. Which of the following should be done FIRST?

Options

  • AEncrypt the data at rest and in motion
  • BRemove the identifiers during the data transfer
  • CDetermine the categories of personal data collected
  • DEnsure logging is turned on for the database

How the community answered

(24 responses)
  • A
    8% (2)
  • B
    4% (1)
  • C
    83% (20)
  • D
    4% (1)

Explanation

Determining the categories of personal data collected must come first because de-identification cannot be performed without knowing what personal data exists. You must understand the data landscape - what identifiers are present, what categories of sensitive data are involved - before any technical de-identification technique (masking, pseudonymization, anonymization) can be applied. Encrypting data (A) is a protective measure but does not de-identify it. Removing identifiers during transfer (B) presupposes you already know what the identifiers are. Enabling database logging (D) is a monitoring control unrelated to the de-identification process itself. Inventory and categorization is always the prerequisite step.

Topics

#Data de-identification#Data classification#Data inventory

Community Discussion

No community discussion yet for this question.

Full CDPSE Practice