Page 331 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 331

Declassification involves any process that purges media or a system in
               preparation for reuse in an unclassified environment. Sanitization

               methods can be used to prepare media for declassification, but often
               the efforts required to securely declassify media are significantly
               greater than the cost of new media for a less secure environment.
               Additionally, even though purged data is not recoverable using any
               known methods, there is a remote possibility that an unknown method
               is available. Instead of taking the risk, many organizations choose not
               to declassify any media and instead destroy it when it is no longer

               needed.


               Ensuring Appropriate Asset Retention

               Retention requirements apply to data or records, media holding
               sensitive data, systems that process sensitive data, and personnel who
               have access to sensitive data. Record retention and media retention is
               the most important element of asset retention.

               Record retention involves retaining and maintaining important

               information as long as it is needed and destroying it when it is no
               longer needed. An organization’s security policy or data policy
               typically identifies retention timeframes. Some laws and regulations
               dictate the length of time that an organization should retain data, such
               as three years, seven years, or even indefinitely. Organizations have
               the responsibility of identifying laws and regulations that apply and
               complying with them. However, even in the absence of external

               requirements, an organization should still identify how long to retain
               data.

               As an example, many organizations require the retention of all audit
               logs for a specific amount of time. The time period can be dictated by
               laws, regulations, requirements related to partnerships with other
               organizations, or internal management decisions. These audit logs
               allow the organization to reconstruct the details of past security

               incidents. When an organization doesn’t have a retention policy,
               administrators may delete valuable data earlier than management
               expects them to or attempt to keep data indefinitely. The longer data is
               retained, the more it costs in terms of media, locations to store it, and
               personnel to protect it.
   326   327   328   329   330   331   332   333   334   335   336