CISSP · Question #225
Sensitive customer data is going to be added to a database. What is the MOST effective implementation for ensuring data privacy?
The correct answer is C. Data link encryption. Protecting sensitive customer data in a database requires encrypting the data itself, making encryption the most direct and effective privacy control. Access controls and procedural controls alone do not protect data if storage media is compromised.
Question
Sensitive customer data is going to be added to a database. What is the MOST effective implementation for ensuring data privacy?
Options
- ADiscretionary Access Control (DAC) procedures
- BMandatory Access Control (MAC) procedures
- CData link encryption
- DSegregation of duties
How the community answered
(21 responses)- A5% (1)
- B5% (1)
- C76% (16)
- D14% (3)
Why each option
Protecting sensitive customer data in a database requires encrypting the data itself, making encryption the most direct and effective privacy control. Access controls and procedural controls alone do not protect data if storage media is compromised.
Discretionary Access Control (DAC) restricts who can access data based on owner-defined permissions, but it does not protect the actual data content if access controls are bypassed, credentials are stolen, or storage media is physically accessed.
Mandatory Access Control (MAC) enforces system-wide policies based on data classifications and user clearances, but like DAC it controls access rather than protecting the data itself from exposure if the underlying storage is compromised.
Data link encryption protects data in transit and, when combined with encryption at rest, ensures that sensitive customer data remains unreadable to unauthorized parties even if the underlying storage or network is compromised. Encryption directly addresses data privacy by rendering data unintelligible without the proper decryption key, making it the most technically effective control for ensuring confidentiality of sensitive database content. This directly mitigates risks from interception, theft of storage media, or insider access to raw data files.
Segregation of duties is an administrative/procedural control that divides responsibilities among multiple people to reduce fraud risk, but it does not technically protect data from unauthorized disclosure or interception.
Concept tested: Encryption as a data privacy control for sensitive data
Source: https://csrc.nist.gov/publications/detail/sp/800-111/final
Topics
Community Discussion
No community discussion yet for this question.