DCS-01: Off-Site Equipment Disposal Policy and Procedures

Control Family:

Datacenter Security

CSF v1.1 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: DCS-05: Off-Site Equipment, GRM-06: Policy, GRM-09: Policy Reviews.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the secure disposal of equipment used outside the organization's premises. If the equipment is not physically destroyed a data destruction procedure that renders recovery of information impossible must be applied. Review and update the policies and procedures at least annually.

Implementation Guidance

When clients delete, leave, or egress a cloud platform, the provider should follow a sequence of structured steps to ensure that client data has been expunged from the provider environment according to the terms in the contract and best practice (per vetted guidance sources such as NIST 800-88). In addition, the client may request verification that data has been effectively removed. These steps should include, but are not limited to:

  1. Removal of sensitive data or systems not regularly accessed by the organization, service provider, partner, etc. (stand-alone systems).
  2. Completion of a confidentiality assessment—including a verified process for select information sanitization and disposal processes.
  3. A record of the process should be documented and communicated to support decisions.
  4. All sanitized or destroyed assets should be logged into a tracking system with a certificate of media disposition (clear, purge, or destroy).

Auditing Guidance

  1. Examine the organization's policy and procedures related to data destruction.
  2. Determine if the policy has been approved, communicated, and reviewed.
  3. Determine if a policy exists that addresses the secure destruction of data and for conditions when equipment is reused as opposed to when equipment is destroyed.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.