Question:  Your organization keeps physical client files in a secure room. Which of the following controls primarily concerns asset retention?  

A.  Restricted access based on job role 

B.  Paper shredding policy

C.  Climate control in the room

D.  Digital backups of the files

The Correct Answer: B (Paper Shredding Policy)

Deep Dive: Detailed Explanation
To pass the CISSP, you must be able to distinguish between protection, preservation, and retention. Let’s break down why "B" is the only answer that fits the specific definition of retention.

A. Restricted access based on job role
While essential for security, this is a preventative access control. It focuses on the Confidentiality of the CIA triad by ensuring only authorized personnel interact with the files. It governs who can see the asset, but it has no bearing on the duration of the asset's life or its ultimate destruction.

B. Paper shredding policy (The Winner)
This control sits at the heart of the Asset Lifecycle. Asset retention isn’t just about keeping data; it’s about the entire timeline from creation to destruction. A shredding policy defines the "end-of-life" process. By establishing clear protocols for when and how files are destroyed, you ensure the organization complies with legal requirements and prevents "data remnants" from becoming a liability.

C. Climate control in the room
This is a physical safety control focused on Asset Preservation. While keeping the room at a specific temperature prevents the paper from degrading (ensuring Availability), it does not dictate how long the organization is legally or operationally required to keep those files.

D. Digital backups of the files
Backups are a core component of Data Redundancy and Recovery. While transitioning from physical to digital may change your storage strategy, the act of backing up is an Availability control. It ensures that if the physical copy is lost, the data survives—but it does not define the retention schedule for the original physical assets.

CISSP Exam Tip: The "Retention" Mindset
When you see the word Retention on the exam, immediately think of the Retention Schedule. Organizations are often legally mandated to keep files for a specific period (e.g., 7 years for tax records). However, keeping data too long is a massive risk. A true retention policy always includes a Disposal component—which is why the shredding policy is the most accurate answer here.

Are you struggling with the nuances of Asset Security? I can help you bridge the gap between "knowing the facts" and "thinking like a manager." If you'd like more practice questions like this or a deep dive into Domain 2, feel free to reach out.