CompTIA Security+ (SY0-601) — Question 390

An audit identified PII being utilized in the development environment of a critical application. The Chief Privacy Officer (CPO) is adamant that this data must be removed; however, the developers are concerned that without real data they cannot perform functionality tests and search for specific data. Which of the following should a security professional implement to best satisfy both the CPO's and the development team's requirements?

Answer options

• A. Data purge
• B. Data encryption
• C. Data masking
• D. Data tokenization

Correct answer: C

Explanation

Data masking is the correct choice because it allows the development team to use realistic data formats while removing sensitive information, thus satisfying the CPO's requirement for data removal. Data purge would eliminate the data entirely, leaving developers without necessary information for testing. Data encryption secures the data but does not remove PII, and data tokenization replaces sensitive data with non-sensitive equivalents, which may not provide the same level of utility for testing purposes.