Page 343 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 343

sensitive data in transit and sensitive data at rest should be encrypted.
               When pseudonymization is performed effectively, it can result in less

               stringent requirements that would otherwise apply under the GDPR.

               A pseudonym is an alias. As an example, Harry Potter author J. K.
               Rowling published a book titled The Cuckoo’s Calling under the
               pseudonym of Robert Galbraith. If you know the pseudonym, you’ll
               know that any future books authored by Robert Galbraith are written
               by J. K. Rowling.

               Pseudonymization refers to the process of using pseudonyms to
               represent other data. It can be done to prevent the data from directly

               identifying an entity, such as a person. As an example, consider a
               medical record held by a doctor’s office. Instead of including personal
               information such as the patient’s name, address, and phone number, it
               could just refer to the patient as Patient 23456 in the medical record.
               The doctor’s office still needs this personal information, and it could

               be held in another database linking it to the patient pseudonym
               (Patient 23456).

               Note that in the example, the pseudonym (Patient 23456) refers to
               several pieces of information on the person. It’s also possible for a
               pseudonym to be used for a single piece of information. For example,
               you can use one pseudonym for a first name and another pseudonym
               for a last name. The key is to have another resource (such as another

               database) that allows you to identify the original data using the
               pseudonym.

               The GDPR refers to pseudonymization as replacing data with artificial
               identifiers. These artificial identifiers are pseudonyms.




                             Tokenization is similar to pseudonymization.

                  Pseudonymization uses pseudonyms to represent other data.
                  Tokenization uses tokens to represent other data. Neither the
                  pseudonym nor the token has any meaning or value outside the
                  process that creates them and links them to the other data.
                  Additionally, both methods can be reversed to make the data

                  meaningful.
   338   339   340   341   342   343   344   345   346   347   348