DATA-17 Data Disposal

What is this control about?

Data disposal is the process for securely disposing of information from your system either physically (degaussing, shredding, etc.) or electronically (overwriting, sanitizing, etc.)  at its end of life. A policy must be documented to define the disposal processes to be used in the event of a deletion request.

Available tools in the marketplace

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Media Sanitization best practices from NIST

Control implementation

Document a process to effectively delete data from all systems

Implement a script to effectively delete data from all systems

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

• Provide the most recent data disposal process
• Provide an example of the script used to remove data and an example of a ticket requesting it

Evidence example

From the suggested action above, an example is provided below.

1. Provide the most recent data disposal process.

TrustCloud example shows the data type, retention and disposal process

2. Provide an example of the script used to remove data and an example of a ticket.

Example of data deletion script:

Google search