nerdexam
(ISC)2

CISSP · Question #477

Which of the following should be included in a hardware retention policy?

The correct answer is D. A plan to retain data required only for business purposes and a retention schedule. A hardware retention policy should define what data must be kept, for how long, and for what purposes, rather than mandating blanket retention of all data or arbitrary timeframes.

Submitted by wei.xz· Mar 5, 2026Asset Security

Question

Which of the following should be included in a hardware retention policy?

Options

  • AThe use of encryption technology to encrypt sensitive data prior to retention
  • BRetention of data for only one week and outsourcing the retention to a third-party vendor
  • CRetention of all sensitive data on media and hardware
  • DA plan to retain data required only for business purposes and a retention schedule

How the community answered

(31 responses)
  • A
    3% (1)
  • B
    10% (3)
  • C
    3% (1)
  • D
    84% (26)

Why each option

A hardware retention policy should define what data must be kept, for how long, and for what purposes, rather than mandating blanket retention of all data or arbitrary timeframes.

AThe use of encryption technology to encrypt sensitive data prior to retention

Encryption is a data protection control, not a retention policy element; while encryption may be used alongside retention practices, it addresses confidentiality during storage rather than defining what to retain or for how long.

BRetention of data for only one week and outsourcing the retention to a third-party vendor

Retaining data for only one week is an arbitrary and likely insufficient timeframe that would not satisfy most legal, regulatory, or business requirements, and outsourcing retention does not constitute a comprehensive policy in itself.

CRetention of all sensitive data on media and hardware

Retaining all sensitive data on media and hardware without a defined schedule or business justification leads to unnecessary data accumulation, increased risk exposure, and potential non-compliance with data minimization principles.

DA plan to retain data required only for business purposes and a retention scheduleCorrect

A sound hardware retention policy includes a clearly defined plan specifying which data is retained based on business or legal necessity, paired with a structured retention schedule that dictates how long each category of data is kept. This approach balances compliance requirements, storage costs, and risk management by avoiding unnecessary data hoarding while ensuring required data is preserved appropriately. Retention schedules also facilitate timely and secure disposal of data that no longer serves a business or regulatory purpose.

Concept tested: Hardware and data retention policy best practices

Source: https://learn.microsoft.com/en-us/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview

Topics

#data retention policy#data lifecycle management#information governance#compliance

Community Discussion

No community discussion yet for this question.

Full CISSP Practice