nerdexam
(ISC)2

CISSP · Question #453

What steps can be taken to prepare personally identifiable information (PII) for processing by a third party?

The correct answer is C. The personal information should be maintained separately connected with a one-way reference.. When preparing PII for third-party processing, the goal is to minimize exposure of sensitive data while retaining the ability to reference it. The correct approach involves data separation and pseudonymization techniques.

Submitted by naveen.iyer· Mar 5, 2026Security and Risk Management

Question

What steps can be taken to prepare personally identifiable information (PII) for processing by a third party?

Options

  • AIt is not necessary to protect PII as long as it is in the hands of the provider.
  • BA security agreement with a Cloud Service Provider (CSP) was required so there is no concern.
  • CThe personal information should be maintained separately connected with a one-way reference.
  • DThe personal information can be hashed and then the data can be sent to an outside processor.

How the community answered

(47 responses)
  • A
    11% (5)
  • B
    2% (1)
  • C
    81% (38)
  • D
    6% (3)

Why each option

When preparing PII for third-party processing, the goal is to minimize exposure of sensitive data while retaining the ability to reference it. The correct approach involves data separation and pseudonymization techniques.

AIt is not necessary to protect PII as long as it is in the hands of the provider.

PII must be protected regardless of who holds it; third-party possession does not eliminate legal or regulatory obligations such as those imposed by GDPR, HIPAA, or CCPA on data controllers.

BA security agreement with a Cloud Service Provider (CSP) was required so there is no concern.

A security agreement with a CSP establishes contractual responsibilities but does not technically protect or anonymize the PII data itself during processing, leaving it still vulnerable to exposure.

CThe personal information should be maintained separately connected with a one-way reference.Correct

Maintaining personal information separately and linking it via a one-way reference is a recognized pseudonymization technique defined in privacy frameworks like GDPR and NIST SP 800-188. This approach ensures that the third party only receives a token or reference identifier rather than the raw PII, reducing exposure risk. If the third-party system is compromised, the actual personal data remains protected in the separate, controlled data store.

DThe personal information can be hashed and then the data can be sent to an outside processor.

Hashing is a one-way function suitable for integrity verification or password storage, but sending hashed PII to an external processor is incorrect because hashed data can still be re-identified through rainbow tables or brute force, and it does not represent a standard privacy-preserving data preparation method for processing workflows.

Concept tested: PII pseudonymization and data separation for third-party processing

Source: https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8312.pdf

Topics

#PII protection#data privacy#third-party processing#pseudonymization

Community Discussion

No community discussion yet for this question.

Full CISSP Practice