Domain 2 of 8 · Chapter 5 of 6

Asset Retention

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • Retention as a requirement-driven decision
  • Legal hold and defensible disposal
  • End-of-life, end-of-support, and unsupported components
  • Exam-pattern recognition

End-of-life vs end-of-support: what changes and what the leader does

AspectEnd-of-Life (EOL)End-of-Support (EOS)
What the vendor stopsSelling and active feature development of the productIssuing security patches, updates, and fixes
Security impactLow on its own: the product still gets patches for a timeHigh: new vulnerabilities are never fixed; exposure widens over time
The date to manage againstUseful for planning the migration runwayThe hard deadline: cross it unmanaged and the asset is unpatchable
Primary responsePlan replacement / migration before EOS arrivesReplace, or provide alternative support; else isolate + compensating controls (SA-22)

Cheat sheet

  • Retention periods are set by external obligation, not storage convenience
  • Over-retention is a liability, so dispose on schedule once the period ends
  • Retention follows the data even after it leaves the system
  • Retention is set with legal and records management, not by IT alone
  • A legal hold suspends the retention schedule and overrides routine destruction
  • Held data returns to the normal schedule only after the hold is released
  • Defensible disposal requires a scheduled, consistent, hold-aware, evidenced process
  • A certificate of destruction closes the audit loop on disposal
  • Retention decides when to dispose; data-lifecycle decides how to destroy
  • End-of-support, not end-of-life, is the security event
  • "It still runs" is not a security position for an EOS asset
  • For an unsupported component, SA-22 allows only replace or provide alternative support
  • When replacement is infeasible, isolate the EOS asset and apply compensating controls
  • Running an unsupported asset means formally accepting documented residual risk
  • Vendors publish lifecycle dates so you manage against them, not get surprised
  • The BEST answer for an EOS asset is the risk-managed middle, not either extreme
  • Record-retention is a legal clock; MTD/RTO/RPO are continuity tolerances
  • A mandatory legal-retention obligation can override an erasure request, and conflicts default to the longest period
  • Place an eDiscovery/legal hold before terminating access, and confirm the hold's scope

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations (SI-12 Information Management and Retention; SA-22 Unsupported System Components) Whitepaper
  2. NIST SP 800-88 Rev. 1: Guidelines for Media Sanitization (clear/purge/destroy; cross-reference for disposal execution) Whitepaper
  3. Microsoft Lifecycle FAQ: Fixed vs Modern Lifecycle Policy (defined end-of-support dates)