Certified Information Systems Auditor (CISA) — Question 1457

An organization needs to comply with data privacy regulations forbidding the display of personally identifiable information (PII) on customer bills or receipts.
However, it is a business requirement to display at least one attribute so that customers can verify the bills or receipts are intended for them. What is the BEST recommendation?

Answer options

• A. Data sanitization
• B. Data masking
• C. Data encryption
• D. Data tokenization

Correct answer: B

Explanation

Data masking is the correct choice because it allows for the obfuscation of PII while still enabling the display of a necessary attribute for verification. Data sanitization typically involves the removal of data, which would not meet the business requirement. Data encryption secures data but does not make it visible in a readable format, and data tokenization replaces sensitive data with non-sensitive equivalents, which might not meet the need for verification.