nerdexam
(ISC)2

CISSP · Question #965

While performing a security review for a new product, an information security professional discovers that the organization's product development team is proposing to collect government- issued identif

The correct answer is B. Customer identifiers that do not resemble the user's government-issued ID number should be. Using government-issued ID numbers as customer identifiers creates significant privacy and security risks; best practice is to generate separate, unrelated identifiers that cannot be reverse-engineered to expose sensitive data.

Submitted by ngozi_ng· Mar 5, 2026Software Development Security

Question

While performing a security review for a new product, an information security professional discovers that the organization's product development team is proposing to collect government- issued identification (ID) numbers from customers to use as unique customer identifiers. Which of the following recommendations should be made to the product development team?

Options

  • ACustomer identifiers should be a variant of the user's government-issued ID number.
  • BCustomer identifiers that do not resemble the user's government-issued ID number should be
  • CCustomer identifiers should be a cryptographic hash of the user's government-issued ID number.
  • DCustomer identifiers should be a variant of the user's name, for example, "jdoe" or "john.doe."

How the community answered

(34 responses)
  • A
    18% (6)
  • B
    74% (25)
  • C
    6% (2)
  • D
    3% (1)

Why each option

Using government-issued ID numbers as customer identifiers creates significant privacy and security risks; best practice is to generate separate, unrelated identifiers that cannot be reverse-engineered to expose sensitive data.

ACustomer identifiers should be a variant of the user's government-issued ID number.

Using a variant of the government-issued ID number still exposes sensitive PII because a variant (e.g., last four digits or a transposition) can often be reverse-engineered or correlated back to the original government ID, defeating the purpose of separation.

BCustomer identifiers that do not resemble the user's government-issued ID number should beCorrect

Creating customer identifiers that bear no resemblance to government-issued ID numbers follows the privacy principle of data minimization and separation - the internal identifier should be a system-generated opaque token (e.g., UUID) with no relationship to the sensitive PII. This prevents attackers or insiders from inferring, reconstructing, or correlating the government ID from the customer identifier, and limits the blast radius of a data breach by ensuring the identifier itself carries no sensitive information.

CCustomer identifiers should be a cryptographic hash of the user's government-issued ID number.

While cryptographic hashing is better than storing the raw ID, hash-based identifiers derived from government IDs are still considered sensitive because government IDs have low entropy and are vulnerable to precomputation or rainbow table attacks, and the hash still functionally ties the identifier to the PII.

DCustomer identifiers should be a variant of the user's name, for example, "jdoe" or "john.doe."

Name-based identifiers like 'jdoe' expose personally identifiable information (the user's name) in the identifier itself, violate data minimization principles, and create enumeration and identity-guessing risks without providing any protection for the underlying government ID.

Concept tested: Privacy by design and PII data minimization in system identifiers

Source: https://www.nist.gov/privacy-framework/privacy-framework-core

Topics

#Data privacy#PII protection#Unique identifiers#Data minimization

Community Discussion

No community discussion yet for this question.

Full CISSP Practice