Certified Information Systems Security Professional (CISSP) — Question 315

While performing a security review for a new product, an information security professional discovers that the organization's product development team is proposing to collect government-issued identification (ID) numbers from customers to use as unique customer identifiers. Which of the following recommendations should be made to the product development team?

Answer options

• A. Customer identifiers should be a variant of the user's government-issued ID number.
• B. Customer identifiers should be a cryptographic hash of the user's government-issued ID number.
• C. Customer identifiers that do not resemble the user's government-issued ID number should be used.
• D. Customer identifiers should be a variant of the user's name, for example, "jdoe" or "john.doe."

Correct answer: C

Explanation

The correct answer is C because using customer identifiers that do not resemble government-issued ID numbers reduces the risk of compromising sensitive information. Options A and B are not ideal as they still link the identifiers to the ID numbers, while option D suggests using names, which may not provide the uniqueness needed and could also expose personal information.