Degaussing is one of the most tested media sanitization topics on the Security+ exam, and the most common trap is applying it to the wrong media type. Degaussing works by generating a strong electromagnetic field that destroys the magnetic patterns used to encode data on hard disk drive platters. It is effective on HDDs — and as a side effect, it also destroys the servo tracks that control head positioning, permanently rendering the drive unusable.
The trap: SSDs do not store data magnetically. They store data as electrical charge in NAND flash memory cells. An electromagnetic field has no effect on electrical charge storage. Applying a degausser to an SSD produces a device that appears to have been sanitized but contains fully intact, readable data. This is not a partial sanitization failure — it is a complete failure. The SSD is unchanged.
The exam will present scenarios where degaussing is applied to "storage devices" or "drives" and ask whether sanitization was successful. If the device is an SSD, the answer is no. If the device type is unspecified, consider whether the scenario context suggests newer devices (which are almost universally SSD) vs. legacy systems (which may be HDD).
Asset classification questions on the exam test the CapEx/OpEx distinction and why it matters. The key is understanding the financial logic, not just memorizing the labels. Hardware is a physical asset with a useful life that spans multiple years — it loses value over time through depreciation. This depreciation reduces taxable income annually, which is why capital expenditures are tracked separately. Software licenses and subscriptions are typically consumed in the period they are purchased (annual license, monthly subscription) — they are expensed immediately as operating costs and do not depreciate.
This distinction also matters for the asset tracking system itself: hardware assets have physical presence, asset tags, and depreciation schedules to maintain. Software assets are tracked by license key, activation count, and subscription status — no physical tag, no depreciation, but often compliance risk if licenses are exceeded or not renewed.
The certificate of destruction is a compliance and legal document. Its value depends entirely on its specificity. The exam tests this by presenting scenarios where an organization receives a certificate and asking whether it provides adequate assurance.
The discriminator is always serial numbers. A certificate that says "We destroyed 500 drives on [date]" cannot be matched to your organization's specific asset inventory. It proves that the vendor destroyed some drives on some date. It does not prove that your specific drives — the ones containing your data — were among them. If a regulator or auditor asks "was drive SN12345678 destroyed?" this certificate cannot answer that question.
A proper certificate lists each serial number, matched against your asset inventory submission. When a specific drive's serial number later appears somewhere it shouldn't, your certificate can immediately prove that your organization's drive with that serial number was destroyed before that date. This is what makes the document meaningful for compliance, legal defense, and incident investigation.
Data retention questions on the exam describe a scenario and ask why data must be retained for a specific period, or what happens if it is not. The answer depends on identifying the correct driver: regulatory compliance (mandatory period set by law), operational recovery (backup and disaster recovery needs), or data type differentiation (different categories have different requirements).
The regulatory driver is the strictest and most testable. When a regulation mandates a minimum retention period, that period is non-negotiable — deleting data before the regulatory minimum creates legal liability regardless of any other reason to delete it. The operational driver is flexible — it is a best practice that organizations define for themselves based on their recovery objectives. The data type driver is about precision — treating all data identically either wastes storage (retaining everything forever) or creates compliance violations (deleting regulated data too early).