A financial services company uses a cloud-based logging service for audit trails. A regulatory investigation is initiated, and the company is required to preserve all logs from the past 18 months. The cloud provider's default retention policy is 12 months, and logs older than that are automatically deleted. The company did not configure custom retention. What is the most appropriate action to ensure compliance?
A legal hold overrides retention policies and ensures preservation; verification confirms compliance.
Why this answer
Option C is correct because a legal hold (or litigation hold) is a cloud provider feature that overrides the default retention policy to preserve data indefinitely or for a specified period, preventing automated deletion. This ensures compliance with regulatory requirements without relying on manual exports or backups, and the company must verify implementation through provider tools or APIs to confirm the hold is active.
Exam trap
ISC2 often tests the misconception that exporting logs locally is sufficient for compliance, but the trap is that this fails to preserve logs already deleted and does not meet the requirement for ongoing preservation, whereas a legal hold is the designed mechanism for regulatory holds.
How to eliminate wrong answers
Option A is wrong because accepting data loss and explaining to regulators is not a valid compliance action; regulations typically require preservation, and ignorance of retention limits is not an acceptable excuse. Option B is wrong because exporting all available logs immediately would only capture logs up to the current point, missing logs already deleted beyond 12 months, and does not address ongoing preservation for future regulatory needs. Option D is wrong because relying on the provider's backup policy is speculative and not guaranteed; backups may have shorter retention or be subject to the same deletion policies, and they are not designed for legal compliance holds.