DATA-17 Data Disposal

What is DATA-17 Data Disposal Control?

Data disposal is the process of securely disposing of information from your system either physically (degaussing, shredding, etc.) or electronically (overwriting, sanitizing, etc.) at its end of life. A policy must be documented to define the disposal processes to be used in the event of a deletion request.

Available tools in the marketplace

Tools

No tool recommendation is made for this section

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version:

• Media Sanitization best practices from NIST

Control implementation

To implement this control,

1. Document a process to effectively delete data from all systems.
2. Implement a script to effectively delete data from all systems.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

1. Provide the most recent data disposal process.
2. Provide an example of the script used to remove data and an example of a ticket requesting it.

Evidence example

For the suggested action, an example is provided below:

1. Provide the most recent data disposal process.
   The following screenshot shows the data type, retention, and disposal processes.
   
2. Provide an example of the script used to remove data and an example of a ticket requesting it.
   The following screenshot shows an example of a data deletion script.
   Google search