Effective CISSP Questions

Your company is retiring 50 personal computers and 50 laptops which have been depreciated for 5 years with inconsiderable accounting residual values. Employees are eligible to buy those retired devices for personal or home use with first priority. The remaining devices will be sold in public. Full disk encryption is enabled on all the laptops to ensure the security of mobility. To best address the issue of data remanence, which of the following should be conducted?
A. Use the operating system companion utility to fully format all the disks
B. Use the “reset to factory default” function to remove all the data on personal computers and laptops
C. Use the vendor-provided utility with the dedicated commands to purge all the data
D. Crypto-erase the disks on the laptops and degauss the magnetic disks on the personal computers

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Use the vendor-provided utility with the dedicated commands to purge all the data.

Sanitization and Disposition Decision Flow

NIST SP 800-88 R1

Reuse and Organization Control

The retired devices are reused and leaving control of the company. The data on the disk should be cleared or purged to address the issue of data remanence.

Sanitizing Methods

Sanitization refers to a process that renders access to target data on the media infeasible for a given level of effort.

Source: NIST SP 800-88 R1

There are three methods to sanitize media or remove residual information remaining on storage media:

  • Clear: using standard read and write commands; recoverable using state of the art laboratory techniques.
  • Purge: using dedicated, standardized device sanitizing commands; unrecoverable using state of the art laboratory techniques.
  • Destroy: unrecoverable and unreusable

Clear and Purge

  • Purging data is better than clearing as data purged can not be recovered using state of the art laboratory techniques, while data cleared can.
  • Crypto-erase is one type of purge to sanitize data on flash memory-based, RAM-based, and ROM-based storage.


  • Media destroyed can not be reused. Degaussing and other approaches, like Incineration, shredding, disintegrating, and pulverizing, destroy the media.
  • Degaussing applies to magnetic media only.

NIST Guidelines for Media Sanitization

  • Protection of information is paramount. That information may be on paper, optical, electronic or magnetic media.
  • An organization may choose to dispose of media by charitable donation, internal or external transfer, or by recycling it in accordance with applicable laws and regulations if the media is obsolete or no longer usable.
  • This guide will assist organizations and system owners in making practical sanitization decisions based on the categorization of confidentiality of their information.

Source: NIST SP 800-88 R1



2 thoughts on “CISSP PRACTICE QUESTIONS – 20190925

    • Thank you for your feedback, Nancy! It is a great question. Your thinking is more comprehensive. This question oversimplified the scenario and assumed the vendor-provided utility invokes the dedicated storage sanitization commends, contracted with GUI or CLI that typically uses standard I/O commends. The sanitization process typically entails many verifications, e.g., equipment and tools, personnel competencies, sanitization results, etc. NIST SP 800-88 R1 is a good source for media sanitization.

Leave a Reply