Data Cleanup Best Practices

A.

The BEST recommendation for the IS auditor in this scenario would be option B, which is to assess the data according to the retention policy.

Here's a detailed explanation of each option:

A. Ask the data custodian to remove it after confirmation from the business user. This option implies that the data custodian has the authority and knowledge to remove the data. However, it is possible that the data is still needed for legal or regulatory compliance purposes, or for historical reference. Therefore, it is not advisable to remove data without a clear understanding of its significance.

B. Assess the data according to the retention policy. This option is the best recommendation for the IS auditor. The retention policy specifies the period for which data needs to be retained, and after that period, it can be safely disposed of. Assessing the data according to the retention policy ensures that data that is no longer needed can be securely disposed of, while retaining the data that needs to be kept for a specific period.

C. Back up the data to removable media and store in a secure area. This option implies that the data is still valuable, but no longer needed by business applications. However, it is not a practical solution to back up and store all data that is no longer needed. Additionally, this increases the risk of the data being accessed by unauthorized individuals.

D. Keep the data and protect it using a data classification policy. This option implies that the data is still valuable, but no longer needed by business applications. However, it is not a practical solution to keep all data that is no longer needed. Additionally, this increases the risk of the data being accessed by unauthorized individuals. Furthermore, protecting the data using a data classification policy does not necessarily mean that it is required to be retained.

In summary, the BEST recommendation for the IS auditor is to assess the data according to the retention policy.