SI-12(3): Information Disposal

Control Family:

System and Information Integrity

Parent Control:

SI-12: Information Management and Retention

PF v1.0 References:

CT.DM-P5

Baselines:

Privacy

Control is new to this version of the control set.

Control Statement

Use the following techniques to dispose of, destroy, or erase information following the retention period: [Assignment: organization-defined techniques].

Supplemental Guidance

Organizations can minimize both security and privacy risks by disposing of information when it is no longer needed. The disposal or destruction of information applies to originals as well as copies and archived records, including system logs that may contain personally identifiable information.

Control Statement

Supplemental Guidance

Related Controls

NIST Special Publication 800-53 Revision 5

Critical Security Controls Version 7.1