nerdexam
(ISC)2

CISSP · Question #596

An organization has a short-term agreement with a public Cloud Service Provider (CSP). Which of the following BEST protects sensitive data once the agreement expires and the assets are reused?

The correct answer is C. Use a contractual agreement to ensure the CSP wipes the data from the storage environment.. When a cloud agreement expires, the organization must ensure sensitive data is properly sanitized from CSP infrastructure before assets are reused. A contractual obligation placed on the CSP is the most direct and enforceable mechanism for achieving this.

Submitted by suresh_in· Mar 5, 2026Asset Security

Question

An organization has a short-term agreement with a public Cloud Service Provider (CSP). Which of the following BEST protects sensitive data once the agreement expires and the assets are reused?

Options

  • ARecommended that the business data owners use continuous monitoring and analysis of
  • BRecommend that the business data owners use internal encryption keys for data-at-rest and data-
  • CUse a contractual agreement to ensure the CSP wipes the data from the storage environment.
  • DUse a National Institute of Standards and Technology (NIST) recommendation for wiping data on

How the community answered

(16 responses)
  • A
    6% (1)
  • B
    13% (2)
  • C
    75% (12)
  • D
    6% (1)

Why each option

When a cloud agreement expires, the organization must ensure sensitive data is properly sanitized from CSP infrastructure before assets are reused. A contractual obligation placed on the CSP is the most direct and enforceable mechanism for achieving this.

ARecommended that the business data owners use continuous monitoring and analysis of

Continuous monitoring and analysis addresses ongoing threat detection but does not address data remnants on CSP storage after the agreement expires and assets are repurposed.

BRecommend that the business data owners use internal encryption keys for data-at-rest and data-

While internal encryption keys protect data confidentiality during the agreement, they do not ensure the actual destruction of data remnants on CSP storage once the contract ends and keys are revoked.

CUse a contractual agreement to ensure the CSP wipes the data from the storage environment.Correct

A contractual agreement legally obligates the CSP to wipe data from storage environments upon agreement termination, ensuring data sanitization before asset reuse. This is the most effective control because the organization does not have direct physical access to cloud infrastructure, making contractual enforcement the primary lever. This aligns with cloud data lifecycle management best practices, where data destruction clauses in Service Level Agreements (SLAs) or contracts are the standard mechanism for protecting residual data.

DUse a National Institute of Standards and Technology (NIST) recommendation for wiping data on

NIST guidelines for data wiping apply to media under the organization's direct control; the organization cannot physically apply wiping procedures to CSP-managed infrastructure, making this impractical in a cloud context.

Concept tested: Cloud data sanitization via contractual CSP obligations

Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-188.pdf

Topics

#Cloud security#Data sanitization#Data disposal#Contractual agreements

Community Discussion

No community discussion yet for this question.

Full CISSP Practice