CISSP · Question #453
What steps can be taken to prepare personally identifiable information (PII) for processing by a third party?
The correct answer is C. The personal information should be maintained separately connected with a one-way reference.. When preparing PII for third-party processing, the goal is to minimize exposure of sensitive data while retaining the ability to reference it. The correct approach involves data separation and pseudonymization techniques.
Question
Options
- AIt is not necessary to protect PII as long as it is in the hands of the provider.
- BA security agreement with a Cloud Service Provider (CSP) was required so there is no concern.
- CThe personal information should be maintained separately connected with a one-way reference.
- DThe personal information can be hashed and then the data can be sent to an outside processor.
How the community answered
(47 responses)- A11% (5)
- B2% (1)
- C81% (38)
- D6% (3)
Why each option
When preparing PII for third-party processing, the goal is to minimize exposure of sensitive data while retaining the ability to reference it. The correct approach involves data separation and pseudonymization techniques.
PII must be protected regardless of who holds it; third-party possession does not eliminate legal or regulatory obligations such as those imposed by GDPR, HIPAA, or CCPA on data controllers.
A security agreement with a CSP establishes contractual responsibilities but does not technically protect or anonymize the PII data itself during processing, leaving it still vulnerable to exposure.
Maintaining personal information separately and linking it via a one-way reference is a recognized pseudonymization technique defined in privacy frameworks like GDPR and NIST SP 800-188. This approach ensures that the third party only receives a token or reference identifier rather than the raw PII, reducing exposure risk. If the third-party system is compromised, the actual personal data remains protected in the separate, controlled data store.
Hashing is a one-way function suitable for integrity verification or password storage, but sending hashed PII to an external processor is incorrect because hashed data can still be re-identified through rainbow tables or brute force, and it does not represent a standard privacy-preserving data preparation method for processing workflows.
Concept tested: PII pseudonymization and data separation for third-party processing
Source: https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8312.pdf
Topics
Community Discussion
No community discussion yet for this question.