ISC2 Governance, Risk and Compliance (CGRC) Practice Question
While retiring a self-encrypting solid-state storage array that held Controlled Unclassified Information, which action best satisfies NIST SP 800-88 Rev. 1 requirements for sanitization before the hardware is transferred to a reseller?
Issue a cryptographic erase command that destroys the media encryption keys and verify purge completion
Perform one random overwrite pass on selected logical volumes and run SMART self-tests
Power down the array, remove asset tags, and rely on the drive's built-in garbage collection to clear data
Retain one encrypted backup offsite and ship the drives intact to the reseller under non-disclosure agreement
NIST SP 800-88 Rev. 1 states that for self-encrypting media a cryptographic erase, which destroys the encryption keys and makes all stored data unrecoverable, meets the purge standard. A single overwrite of selected areas, simply removing asset tags, or relying on contractual protections do not ensure that data is permanently unrecoverable and therefore do not satisfy NIST's purge or destroy requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is cryptographic erase?
Open an interactive chat with Bash
What are NIST SP 800-88 Rev. 1 sanitization requirements?