nerdexam
Isaca

AAISM · Question #101

Which of the following is the BEST way to ensure an organization remains compliant with industry regulations when decommissioning an AI system used to record patient data?

The correct answer is D. Ensure the certificate of destruction is received and archived in line with data retention policies. Regulations such as HIPAA require that organizations properly dispose of protected health information and maintain documented evidence of that disposal. A certificate of destruction provides the auditable proof that media and data were destroyed in accordance with regulatory requ

AI Security Assurance and Resilience

Question

Which of the following is the BEST way to ensure an organization remains compliant with industry regulations when decommissioning an AI system used to record patient data?

Options

  • AEnsure backups are tested and access controls are recorded and audited to ensure compliance
  • BUpdate governance policies based on lessons learned and ensure a feedback loop exists
  • CPerform a post-destruction risk assessment to verify that there is no residual exposure of data
  • DEnsure the certificate of destruction is received and archived in line with data retention policies

How the community answered

(24 responses)
  • A
    4% (1)
  • B
    4% (1)
  • C
    8% (2)
  • D
    83% (20)

Explanation

Regulations such as HIPAA require that organizations properly dispose of protected health information and maintain documented evidence of that disposal. A certificate of destruction provides the auditable proof that media and data were destroyed in accordance with regulatory requirements. Archiving the certificate per retention policies ensures it is available during future audits or investigations. Option A (backup testing and access control records) relates to operational continuity, not decommissioning compliance. Option B (lessons learned feedback loop) improves governance but is not a compliance requirement. Option C (post-destruction risk assessment) is a good practice but the certificate of destruction is the primary compliance artifact.

Topics

#AI System Decommissioning#Data Destruction#Regulatory Compliance#Data Retention Policy

Community Discussion

No community discussion yet for this question.

Full AAISM Practice