A retention policy is a set of rules and guidelines that define how long and under what conditions the information should be kept or disposed of by the organization, based on its value, sensitivity, and legal or regulatory requirements.
When information is no longer required to support business objectives, the first thing that should be done is to assess the information against the retention policy. This means that the information should be reviewed and evaluated to determine if it should be retained or deleted, and for how long and by whom.
Assessing the information against the retention policy helps to ensure that the information is managed and disposed of in a consistent and compliant manner, that the information is protected from unauthorized access, use, disclosure, modification, or destruction, and that the information is available for future reference or audit purposes if needed.
The other options are not the first things that should be done when information is no longer required to support business objectives. They are either secondary or not essential for information management.
The references for this answer are:
Risk IT Framework, page 28
Information Technology & Security, page 22
Risk Scenarios Starter Pack, page 20
Submit