Certified in Risk and Information Systems Control (CRISC) — Question 1272

Information that is no longer required to support business objectives should be:

Answer options

• A. securely deleted according to the disposal policy.
• B. transferred and archived to an enterprise data vault.
• C. managed according to the retention policy.
• D. recoverable according to the business impact analysis (BIA).

Correct answer: C

Explanation

The correct answer is C because managing information according to the retention policy ensures that data is kept only for as long as it is needed for compliance and business purposes. Options A and B suggest deleting or archiving data that may still be relevant, while D implies that the data should be recoverable, which contradicts the need for proper management based on retention requirements.