| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 5.2 - Establishing Information & Asset Handling Requirements (Part 2 of 2)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series completes the Domain 2 topic of establishing information and asset handling requirements, following sensitive data toward the end of its life — how it should be stored, what really happens when it is erased, and how organizations decide when it is finally time to let it go.
What this episode covers
- Storing sensitive data safely — encryption first, then physical security and climate control for the media.
- Why erasing does not delete — a delete removes the pointer while the bits stay recoverable on the drive.
- Data remanence — magnetic traces and slack space survive erasure, and degaussing only works on magnetic media.
- The destruction ladder — erasing, clearing, purging, degaussing, and physical destruction, from weakest to absolute.
- Cryptographic erasure — destroying the keys locks encrypted data forever, especially useful in the cloud.
- How long to keep data — retain data only as long as it is needed and the law requires, then let it go.
- End of life and end of support — the vendor milestones that time hardware refresh cycles.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
How do you store sensitive data safely?
You wrap it in layers that survive both theft and disaster. Encryption comes first, so a stolen drive reveals nothing usable, and for physical media you add real physical security, like a locked safe inside a secure room. Climate controls matter too, since heat and humidity quietly ruin tapes and disks, and the data is worth far more than the media, so buy quality — even encrypted drives with a fingerprint lock.
Why does erasing a file not truly delete it?
Because a normal delete just removes the signpost, not the data. The system drops the directory entry, but the actual bits sit untouched on the drive until something new happens to overwrite that exact spot, which can take months. Until then, a simple undelete tool can bring the file right back.
What is data remanence, and how do you eliminate it?
It is the ghost of data that survives after supposed erasure — faint magnetic traces and leftover slack space on a drive can still hold secrets, and even careful overwriting can leave whispers that forensic tools recover. For magnetic media, a degausser scrambles the magnetic field and wipes it clean. But a degausser does nothing for a solid-state drive, so those often need physical destruction.
What is cryptographic erasure, and where does it shine?
It is destroying the encryption keys instead of the data itself, leaving the information locked forever and unreadable. The name is a little misleading, because the scrambled data physically remains, so you should still overwrite it — weak encryption or a stray backup key could reopen it. This method truly shines in the cloud, where destroying the keys may be your only real path to deletion.
How long should you keep your data?
Long enough to be useful, and no longer. Some laws set fixed retention periods, and you must find and follow every one that applies, and even without a legal mandate you still need a clear policy, or people will guess. Overkeeping data is a liability, and a warehouse of ancient backup tapes can turn a lawsuit into a nightmare.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 5.2 - Establishing Information & Asset Handling Requirements (Part 2 of 2).