CISSP · Question #596
An organization has a short-term agreement with a public Cloud Service Provider (CSP). Which of the following BEST protects sensitive data once the agreement expires and the assets are reused?
The correct answer is C. Use a contractual agreement to ensure the CSP wipes the data from the storage environment.. When a cloud agreement expires, the organization must ensure sensitive data is properly sanitized from CSP infrastructure before assets are reused. A contractual obligation placed on the CSP is the most direct and enforceable mechanism for achieving this.
Question
An organization has a short-term agreement with a public Cloud Service Provider (CSP). Which of the following BEST protects sensitive data once the agreement expires and the assets are reused?
Options
- ARecommended that the business data owners use continuous monitoring and analysis of
- BRecommend that the business data owners use internal encryption keys for data-at-rest and data-
- CUse a contractual agreement to ensure the CSP wipes the data from the storage environment.
- DUse a National Institute of Standards and Technology (NIST) recommendation for wiping data on
How the community answered
(16 responses)- A6% (1)
- B13% (2)
- C75% (12)
- D6% (1)
Why each option
When a cloud agreement expires, the organization must ensure sensitive data is properly sanitized from CSP infrastructure before assets are reused. A contractual obligation placed on the CSP is the most direct and enforceable mechanism for achieving this.
Continuous monitoring and analysis addresses ongoing threat detection but does not address data remnants on CSP storage after the agreement expires and assets are repurposed.
While internal encryption keys protect data confidentiality during the agreement, they do not ensure the actual destruction of data remnants on CSP storage once the contract ends and keys are revoked.
A contractual agreement legally obligates the CSP to wipe data from storage environments upon agreement termination, ensuring data sanitization before asset reuse. This is the most effective control because the organization does not have direct physical access to cloud infrastructure, making contractual enforcement the primary lever. This aligns with cloud data lifecycle management best practices, where data destruction clauses in Service Level Agreements (SLAs) or contracts are the standard mechanism for protecting residual data.
NIST guidelines for data wiping apply to media under the organization's direct control; the organization cannot physically apply wiping procedures to CSP-managed infrastructure, making this impractical in a cloud context.
Concept tested: Cloud data sanitization via contractual CSP obligations
Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-188.pdf
Topics
Community Discussion
No community discussion yet for this question.