Correct Answer: A
The auditor should check electronic storage media to ensure records are not retained past their destruction date when conducting a periodic audit on media retention. Media retention is the process of keeping and maintaining the media that store the data or information for a certain period of time or indefinitely, depending on the purpose, value, or requirement of the data or information. Media retention can help to ensure the availability, accessibility, and usability of the data or information for future reference, analysis, or evidence.
However, media retention also faces various challenges and risks, such as the degradation, corruption, or loss of the media, the violation of the privacy, security, or compliance of the data or information, or the cost, complexity, or scalability of the media. Therefore, media retention should follow a well-defined policy and procedure that specify the criteria, standards, and regulations for the retention and destruction of the media, such as the type, format, location, duration, frequency, and method of the retention and destruction of the media. The auditor should check electronic storage media to ensure records are not retained past their destruction date when conducting a periodic audit on media retention, by verifying and validating that the electronic storage media, such as hard disks, flash drives, or tapes, that store the data or information that have reached or exceeded their retention period or expiration date, are properly and securely destroyed or erased, and that no traces or remnants of the data or information remain on the media. This can help to prevent or reduce the unauthorized, excessive, or inappropriate retention of the data or information, as well as to identify and resolve any retention or destruction issues or anomalies. Ensuring authorized personnel are in possession of paper copies containing Personally Identifiable Information, checking that hard disks containing backup data that are still within a retention cycle are being destroyed, or ensuring that data shared with outside organizations is no longer on a retention schedule are not the actions that the auditor should do when conducting a periodic audit on media retention, as they are either irrelevant, incorrect, or incomplete actions for the media retention audit. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 10:
Business Continuity and Disaster Recovery Planning, page 613; CISSP Official (ISC)2 Practice Tests, Third Edition, Domain 7: Security Operations, Question 7.8, page 273.