Certified Information Systems Auditor (CISA) — Question 1010

An organization's software developers need access to personally identifiable information (PII) stored in a particular data format. Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?

Answer options

• A. Data masking
• B. Data encryption
• C. Data tokenization
• D. Data abstraction

Correct answer: A

Explanation

Data masking is the best solution as it allows developers to work with obfuscated versions of PII without exposing the actual sensitive data. Data encryption secures the data but does not allow developers to use it in a readable format, while data tokenization replaces sensitive information with non-sensitive equivalents, which might not be suitable for all development scenarios. Data abstraction focuses on hiding complexities and is not specifically designed for protecting sensitive information.