DSP-02: Secure Disposal

CSF v1.1 References:

PF v1.0 References:

Threats Addressed:

Info icon.

Control is new to this version of the control set and incorporates the following control from the previous version: DSI-07: Secure Disposal.

Control Statement

Apply industry accepted methods for the secure disposal of data from storage media such that data is not recoverable by any forensic means.

Implementation Guidance

Data deletion should be conducted securely and effectively to ensure that it is not recoverable by any means, including forensic techniques. Examples include but are not limited to cross-cut shredding or incinerating hard copy materials, and writing zeros.

Auditing Guidance

  1. Examine the organization's procedures and technical requirements related to the secure disposal of data from storage media. Establish that this process and key controls comply with the organization's data privacy and security policy. Establish whether the organization has documented the roles and responsibilities for this process.
  2. Select a sample of disposal requests and assess whether they have followed the process through to completion. Confirm that all evidence was formally documented and recorded.
  3. Examine measure(s) that evaluate(s) this process and determine if the measure(s) address(es) implementation of the process/control requirement(s) as stipulated. Reviews, tests, or audits should be completed periodically by the organization to measure the effectiveness of the implemented controls and to verify that non-compliance and opportunities for improvement are identified, evaluated for risk, reported, and corrected in a timely manner.
  4. Obtain and examine supporting documentation maintained as evidence of these metrics to determine if the office or individual responsible reviews the information and if identified issues were investigated and corrected. Determine if the individual or office is able to correct issues without the need to routinely escalate the issues to the next level of management. Examine related records to determine if the individual or office conducted any follow-ups on the deviations to verify they were corrected as intended.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.