Hardware, Software & Data Asset Management
Acquisition, inventory, ownership, and sanitization — the asset lifecycle that determines whether you can actually protect, retire, or recover what your organization owns.
You cannot protect what you do not know you own. Asset management is the discipline that makes every other control possible: if the CMDB does not know a server exists, the patch scanner will not scan it, the SIEM will not ingest its logs, and the incident response team will not know to contain it. Security+ 4.2 walks the entire lifecycle — acquisition, assignment, inventory, monitoring, disposal — and expects you to pick the right safeguard at each stage.
The most heavily tested piece is end-of-life. When a drive leaves your control, data goes with it unless you applied the right destruction method: overwrite (NIST 800-88 purge) works for HDDs; crypto-erase works only if the drive was encrypted from day one; degaussing destroys magnetic media but does nothing to an SSD; physical destruction (shred, incinerate, pulverize) is the last word for regulated data. Miss the match between media and method and you have a breach, not a disposal.
Acquisition and procurement. Security starts before the purchase order. A mature procurement process includes a vendor risk assessment (financial stability, prior breaches, compliance posture), security requirements in the RFP (encryption, logging, support for your identity standards), a Software Bill of Materials (SBOM) review to see what third-party components the product carries, and supply chain vetting for hardware (is the vendor on a restricted list? is there a risk of tampering in transit?). Missing this stage is how backdoored firmware, hard-coded credentials, and unpatched components end up in the environment.
Assignment and accounting. Every asset needs a named owner — a human accountable for its security posture — and a classification label that aligns protection level with value. A laptop assigned to “IT” is a laptop no one owns; a laptop assigned to “Jane Park, DevOps Engineer” has someone who will respond when it goes missing. Classification (public, internal, confidential, restricted) drives encryption, access-control, and disposal decisions.
Monitoring and tracking — inventory is the prerequisite for every other control. The CMDB is the authoritative record. Populate it two ways: active enumeration (network scans, port scans, agent check-ins) and passive discovery (NetFlow, DHCP leases, authentication logs). Active finds what is reachable; passive finds what is talking. You need both because shadow IT, rogue devices, and forgotten lab machines all show up in one and not the other. Automated tagging (cloud resources inherit tags at creation via policy-as-code) keeps inventory fresh without human effort.
Disposal and decommissioning — the heart of 4.2 exam content.
- Sanitization (NIST 800-88) — the authoritative framework. Three levels: Clear (logical overwrite, resists keyboard attacks), Purge (overwrite or cryptographic erase, resists lab attacks), Destroy (physical destruction, resists everything). Pick the level based on data sensitivity and reuse intent.
- Overwrite — single or multi-pass write over the entire LBA range. Effective on HDDs. DoD 5220.22-M (3-pass) is the legacy reference; NIST 800-88 now says single-pass is usually sufficient on modern drives.
- Cryptographic erase (crypto-erase) — destroy the encryption key so the encrypted data is unrecoverable. Only valid if the drive was encrypted from day one. Encrypting a drive the day you decommission it does NOT crypto-erase the data that was on it before encryption.
- Degaussing — strong magnetic field disrupts the magnetic recording. Works on HDDs, tape, floppy. Does not work on SSDs (solid-state storage is not magnetic).
- Physical destruction — shredding, pulverizing, incinerating. Highest assurance. Required for many regulated datasets.
- Certification of destruction — third-party certificate documenting who destroyed what, when, and how. Required for regulated data (HIPAA, PCI, FERPA).
Data retention. Retention policy defines how long you must keep data (regulatory minimums) and how long you may keep it (privacy/minimization maximums). The goal is to keep data exactly as long as required — no longer, no shorter. Over-retention is a liability (more data to breach, more data in discovery); under-retention is non-compliance. Retention is different from archival — archival is long-term storage of inactive data; retention is a policy-mandated hold.
| Media | Valid Methods | What Does NOT Work |
|---|---|---|
| Hard disk drive (HDD) | Overwrite (NIST 800-88 purge), degauss, shred | Crypto-erase if drive was never encrypted |
| Solid-state drive (SSD) | Crypto-erase (if encrypted day 1), physical destruction | Degauss (no magnetic domains), single-pass overwrite (wear leveling) |
| Self-encrypting drive (SED) | Crypto-erase (destroy the DEK), physical destruction | Overwrite is slower and no more assured than crypto-erase |
| Magnetic tape | Degauss, physical destruction | Overwrite alone for highly regulated data |
| Optical media (CD/DVD) | Shred, incinerate, pulverize | Erase (read-only media cannot be overwritten) |
| Paper | Cross-cut shred, incinerate | Strip-shred for confidential or higher |
| Mobile device | Factory reset + crypto-erase if encrypted, physical destruction | Simple delete of user data |
| Cloud storage | Delete object + verify tombstone, rotate KMS keys | Assuming the provider erases on delete |
| Lifecycle Stage | Primary Control | Exam cue |
|---|---|---|
| Acquisition | Vendor risk + SBOM + supply-chain vetting | “Before purchase” / “third-party risk” |
| Assignment | Named owner + classification label | “Who is responsible” / “data classification” |
| Inventory | CMDB + active scan + passive discovery | “Unknown devices” / “shadow IT” |
| Monitoring | Config drift detection, license compliance | “Drift” / “unauthorized software” |
| Disposal | NIST 800-88 sanitization + certificate | “Decommission” / “leaving the org” |
| Retention | Retention schedule + minimization | “How long must we keep” / “privacy” |
Match method to media. Degauss for magnetic, crypto-erase for SEDs that were always encrypted, physical destruction when in doubt. Always follow with a certificate of destruction for regulated data. The exam loves to pair an SSD with degaussing — it never works.
A regional hospital system is refreshing 800 clinician workstations. The old machines have SSDs with cached patient records (ePHI), cached imaging thumbnails, and local user profiles. The Operations Lead wants to sell the old units to a recycler to offset the refresh cost; the recycler claims they “degauss everything.” Security must decide what leaves the building and how.
800 SSDs from a HIPAA-covered hospital — sell, wipe, or destroy?
Healthcare · ePHI · HIPAA-covered entityWhen encryption history is unknown, default to physical destruction. Crypto-erase is fast and cheap, but only works if the drive was encrypted continuously from first-use. Any gap in that history means unencrypted data was written to cells that may still hold it — destroying the key does not touch that data. When records are incomplete, destruction is the only defensible answer.
This scenario plays out every hardware refresh. Sales teams, recyclers, and even some IT leads treat sanitization as a checkbox. Your role is to know the method/media matrix cold and refuse non-compliant shortcuts. A signed certificate from the recycler is not protection if the method on it does not actually destroy the data.
On the exam: “SSD” + “HIPAA/PCI/regulated” → crypto-erase (if encrypted from day 1) OR physical destruction. Degaussing an SSD is always wrong.
A mid-sized financial-services firm is rewriting its email retention policy. Legal advisory recommends 7 years to satisfy SEC record-keeping. The CEO wants to “keep everything forever, storage is cheap.” Privacy counsel warns that extra years of email are extra years of breach exposure and extra work in discovery. Which policy is the better security/compliance posture?
7-year retention with automated purge on day 2,556
Matches regulatory minimum, enforced deletion after the mandated hold.
Indefinite retention — “storage is cheap, keep it all”
No automatic deletion. Legal holds handled case-by-case as they arise.
Option A fits better — data minimization is a security control
Option A: A defined retention with automated purge matches the regulatory minimum and enforces data minimization — a foundational privacy principle. Less data means less to breach, less to produce in discovery, and less to potentially mishandle. Legal holds can still suspend purges on specific matters when needed.
Option B’s kernel of truth: Storage is cheap. But the cost of data is not storage — it is discovery, breach exposure, and legal liability. Privacy regulators (GDPR, CCPA) treat indefinite retention as a violation absent a lawful basis.
On the exam: “retention” + “privacy” + “minimization” → keep as long as required, no longer. Indefinite retention is a risk, not a benefit.
4.2 questions test the lifecycle: (1) match destruction method to media (degauss = magnetic only; crypto-erase = day-1 encrypted only; physical destruction = default when in doubt), (2) inventory is prerequisite for every other control (shadow IT, unknown assets, missing CMDB entries show up as “cannot protect what you do not know”), (3) retention is a policy-mandated hold, not just archival, and indefinite retention is a liability, not a feature.
- A Degauss all 500 drives and issue a single certificate
- B Crypto-erase all 500, assuming BitLocker was “probably on”
- C Crypto-erase the 380 drives with confirmed continuous encryption; physically destroy the 120 with unknown status; issue certificates for both paths
- D Single-pass overwrite all 500
Correct: C. Crypto-erase is valid only when encryption was in place from first-use. Where that cannot be proven, default to physical destruction. Mixed fleets require a mixed strategy with certification per path.
A wrong: Degaussing does not work on SSDs.
B wrong: Assuming encryption fails the audit trail.
D wrong: Wear leveling and over-provisioning make single-pass overwrite unreliable on SSDs.
Source: CompTIA SY0-701 Objectives v5.0 — 4.2 Hardware, software, and data asset management; NIST SP 800-88 Rev. 1
- A Disable the SIEM
- B Automated enrollment via IaC + active and passive discovery feeding the CMDB
- C Ask each manager to email a list of their assets quarterly
- D Only count assets that appear in the procurement system
Correct: B. Automation catches assets at creation (IaC tagging, cloud resource policies) and continuous discovery finds anything that slipped through. Manual tracking always drifts.
A wrong: Disabling monitoring never improves inventory.
C wrong: Manual email-based inventory decays within weeks.
D wrong: Procurement misses shadow IT, gifts, test labs, cloud sprawl.
Source: CompTIA SY0-701 Objectives v5.0 — 4.2
- A Retention and archival are synonyms
- B Retention is a policy-mandated hold period (often regulatory); archival is long-term storage of inactive data for operational or historical reasons
- C Retention means delete immediately; archival means keep forever
- D Retention applies only to email; archival applies to everything else
Correct: B. Retention is driven by law or policy and specifies how long you must keep (and often when you must purge). Archival is an operational storage tier; both can coexist.
Source: CompTIA SY0-701 Objectives v5.0 — 4.2