Your company is selling toys online and ships globally. The business has been supported by a 3-tier web system for around four years. To improve transaction performance, the database server is equipped with a RAID 5 storage composed of three 1TB SSDs (solid-state drive) with 3 years of MTBF (mean time between failure) and warranty. The newly recruited system administrator is planning for replacing the SSDs with new ones in higher capacity. The customer data in the database is classified as confidential. Which of the following is the best way to address this issue?
A. Consult the information system owner
B. Destroy the media to avoid disclosure of information
C. Engage the maintenance provider and exchange the SSDs for warranty or cost rebate
D. Upgrade the RAID storage to five 2TB SSDs with 5 years of MTBF
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Consult the information system owner.
The system administrator should follow the security plans to conduct the media sanitization and disposition. Besides that, it’s good to consult the information system owner for information or advice.
As the question doesn’t mention about security plan, it’s not a good practice to take immediate action to address issues. Options B, C, and D are immediate actions.
Information System Owner
The information system owner should ensure that maintenance or contractual agreements are in place and are sufficient in protecting the confidentiality of the system media and information commensurate with the impact of disclosure of such information on the organization.
The information owner should ensure that appropriate supervision of onsite media maintenance by service providers occurs, when necessary. The information owner is also responsible for ensuring that they fully understand the sensitivity of the information under their control and that the users of the information are aware of its confidentiality and the basic requirements for media sanitization.
Source: NIST SP 800-88 R1