CISSP · Question #871
While inventorying storage equipment, it is found that there are unlabeled, disconnected, and powered off devices. Which of the following is the correct procedure for handling such equipment?
The correct answer is C. They should be inspected and sanitized following the organizational policy.. When unlabeled and disconnected storage devices are discovered during an inventory, organizations must follow established procedures to assess and properly handle potentially sensitive data before any disposal or reuse decision.
Question
While inventorying storage equipment, it is found that there are unlabeled, disconnected, and powered off devices. Which of the following is the correct procedure for handling such equipment?
Options
- AThey should be recycled to save energy.
- BThey should be recycled according to NIST SP 800-88.
- CThey should be inspected and sanitized following the organizational policy.
- DThey should be inspected and categorized properly to sell them for reuse.
How the community answered
(19 responses)- A11% (2)
- B5% (1)
- C79% (15)
- D5% (1)
Why each option
When unlabeled and disconnected storage devices are discovered during an inventory, organizations must follow established procedures to assess and properly handle potentially sensitive data before any disposal or reuse decision.
Recycling without inspection or sanitization risks exposing sensitive data still present on the devices, and simply saving energy is not a valid data security justification for disposal.
NIST SP 800-88 provides sanitization guidance but applies after inspection and classification; jumping directly to recycling under this standard skips the mandatory inspection step required to determine the appropriate sanitization method.
Unknown storage devices must first be inspected to determine their contents and classification, then sanitized according to organizational policy to prevent unauthorized data disclosure. Organizational policy typically references frameworks like NIST SP 800-88 for sanitization methods, but the first step is always inspection and classification before choosing a disposal or sanitization method. Skipping inspection risks improperly handling devices that may contain sensitive or regulated data.
Selling devices for reuse without first inspecting and sanitizing them poses a significant data breach risk, and resale is only appropriate after proper sanitization has been confirmed, not as the primary procedure.
Concept tested: Media sanitization and storage device handling procedures
Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
Topics
Community Discussion
No community discussion yet for this question.