CISSP · Question #477
Which of the following should be included in a hardware retention policy?
The correct answer is D. A plan to retain data required only for business purposes and a retention schedule. A hardware retention policy should define what data must be kept, for how long, and for what purposes, rather than mandating blanket retention of all data or arbitrary timeframes.
Question
Options
- AThe use of encryption technology to encrypt sensitive data prior to retention
- BRetention of data for only one week and outsourcing the retention to a third-party vendor
- CRetention of all sensitive data on media and hardware
- DA plan to retain data required only for business purposes and a retention schedule
How the community answered
(31 responses)- A3% (1)
- B10% (3)
- C3% (1)
- D84% (26)
Why each option
A hardware retention policy should define what data must be kept, for how long, and for what purposes, rather than mandating blanket retention of all data or arbitrary timeframes.
Encryption is a data protection control, not a retention policy element; while encryption may be used alongside retention practices, it addresses confidentiality during storage rather than defining what to retain or for how long.
Retaining data for only one week is an arbitrary and likely insufficient timeframe that would not satisfy most legal, regulatory, or business requirements, and outsourcing retention does not constitute a comprehensive policy in itself.
Retaining all sensitive data on media and hardware without a defined schedule or business justification leads to unnecessary data accumulation, increased risk exposure, and potential non-compliance with data minimization principles.
A sound hardware retention policy includes a clearly defined plan specifying which data is retained based on business or legal necessity, paired with a structured retention schedule that dictates how long each category of data is kept. This approach balances compliance requirements, storage costs, and risk management by avoiding unnecessary data hoarding while ensuring required data is preserved appropriately. Retention schedules also facilitate timely and secure disposal of data that no longer serves a business or regulatory purpose.
Concept tested: Hardware and data retention policy best practices
Source: https://learn.microsoft.com/en-us/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview
Topics
Community Discussion
No community discussion yet for this question.