A business is growing and starting to branch out into other locations.
In anticipation of opening an office in a different country, the Chief Information Security Officer (CISO) and legal team agree they need to meet the following criteria regarding data to open the new office: -> Store taxation-related documents for five years -> Store customer addresses in an encrypted format -> Destroy customer information after one year -> Keep data only in the customer's home country Which of the following should the CISO implement to BEST meet these requirements? (Choose three.)
Click on the arrows to vote for the correct answer
A. B. C. D. E. F. G.BEH.
To meet the given requirements, the Chief Information Security Officer (CISO) should implement the following policies:
B. Data retention policy: This policy should be implemented to ensure that taxation-related documents are stored for five years and customer information is destroyed after one year. The policy should outline the duration for which data should be retained, the method for data destruction, and the responsibilities of employees handling the data.
C. Data classification standard: This policy should be implemented to classify the data based on its sensitivity and importance. Customer addresses should be classified as sensitive data and stored in an encrypted format. The policy should outline the classification criteria, access controls, and handling procedures for each category of data.
E. Data sovereignty policy: This policy should be implemented to ensure that the data is kept only in the customer's home country. This policy should outline the data storage requirements and restrictions on data transfers outside the country. The policy should also include procedures for monitoring and reporting any violations of the policy.
In addition to these policies, the CISO may also implement the following measures:
H. Encryption standard: To ensure that customer addresses are stored in an encrypted format, an encryption standard should be implemented. The encryption standard should specify the type of encryption algorithm, key management procedures, and encryption key strength.
D. Legal compliance policy: This policy should be implemented to ensure that the organization complies with all the relevant laws and regulations related to data storage and protection. The policy should outline the legal requirements for data storage, retention, and destruction. It should also include procedures for monitoring and reporting any violations of the legal requirements.
F. Backup policy: To ensure that the data is not lost due to hardware failure or other disasters, a backup policy should be implemented. The backup policy should specify the frequency of backups, the retention period for backups, and the backup storage location.
A. Capacity planning policy and G. Acceptable use policy are not directly related to the given requirements and may not be necessary to meet them.
In summary, the CISO should implement a data retention policy, data classification standard, and data sovereignty policy to meet the given requirements. Additionally, measures such as encryption standard, legal compliance policy, and backup policy can also be implemented to ensure data protection and availability.