Effective CISSP Questions

Your company outsourced the development of the customer relationship management system. The software development vendor requests customer profiles for stress testing. To simulate the real stress and performance, which of the following is the best testing data?
A. Large amount of actual customer data
B. Small amount of anonymized customer data
C. Large amount of pseudo-anonymized customer data
D. Small amount of tokenized customer data

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Large amount of pseudo-anonymized customer data.

Stress testing needs a large amount of data to gradually increase the system load to observe system performance over time.

Personal data or PII shall not be used as test data in testing. Personal data can be used for testing only if it is anonymized or pseudo-anonymized.

Visualizing load of different performance test types
Visualizing load of different performance test types (Image Credit: galaris)

Personal Data

Article 4 (1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Source: GDPR


Article 4 (5) ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Source: GDPR

Pseudonymization (Image Credit: IBM)


Pseudonymization is also known as tokenization, and can be configured to provide token data that matches the field type and expected data value, allowing even legacy databases to maintain structure.

Source: IBM



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

貴公司將客戶關係管理系統的開發外包了。 軟件開發人員要求提供客戶資料以進行壓力測試。 為了模擬實際壓力和效能,以下哪種是最佳的測試數據?
A. 大量的實際客戶資料
B. 少量匿名的客戶資料
C. 大量的擬匿名客戶資料
D. 少量令牌化(tokenized)的客戶資料

Leave a Reply