Certified in Risk and Information Systems Control (CRISC) — Question 240

Which of the following should be done FIRST when information is no longer required to support business objectives?

Answer options

• A. Assess the information against the retention policy.
• B. Archive the information to a backup database.
• C. Securely and permanently erase the information.
• D. Protect the information according to the classification policy.

Correct answer: A

Explanation

The first action is to assess the information against the retention policy to determine its status and whether it can be disposed of or archived. Archiving, erasing, or protecting the information comes after this assessment. Therefore, options B, C, and D are not the first steps to address the situation.