Certified in Risk and Information Systems Control (CRISC) — Question 865

Which of the following should a risk practitioner recommend be done prior to disposal of server hardware containing confidential data?

Answer options

• A. Update the asset inventory
• B. Encrypt the backup
• C. Remove all user access
• D. Destroy the hard drives

Correct answer: D

Explanation

The correct answer is D, as physically destroying the hard drives ensures that the confidential data cannot be recovered. Updating the asset inventory, encrypting the backup, and removing user access do not adequately secure the data on the hardware that is being disposed of.