Which TWO of the following are appropriate ways to handle sensitive data discovered during a penetration test when producing the final report? (Select TWO.)
This follows data minimization principles.
Why this answer
Options B and D are correct. Sensitive data should be sanitized in the report (e.g., redacted or anonymized), and any retained data should be securely destroyed after the report is delivered. Option A is wrong because assigning a separate sensitivity label is not a handling method.
Option C is wrong because including raw data increases risk. Option E is wrong because secure transmission is about delivery, not report content.