[csf.tools Note: Subcategories do not have detailed descriptions.]
Note: This Privacy Framework Subcategory is identical to the Cybersecurity Framework Subcategory.
NIST Special Publication 800-53 Revision 5
Sanitize [Assignment: organization-defined system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures]; and Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
Dispose of [Assignment: organization-defined data, documentation, tools, or system components] using the following techniques and methods: [Assignment: organization-defined techniques and methods].
Cloud Controls Matrix v4.0
Define, implement and evaluate processes, procedures and technical measures to destroy keys stored outside a secure environment and revoke keys stored in Hardware Security Modules (HSMs) when they are no longer needed, which include provisions for legal and regulatory requirements.
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the secure disposal of equipment used outside the organization's premises. If the equipment is not physically destroyed a data destruction procedure that renders recovery of information impossible must be applied. Review and update the policies and procedures at least annually.
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the classification, protection and handling of data throughout its lifecycle, and according to all applicable laws and regulations, standards, and risk level. Review and update the policies and procedures at least annually.
Apply industry accepted methods for the secure disposal of data from storage media such that data is not recoverable by any forensic means.
Data retention, archiving and deletion is managed in accordance with business requirements, applicable laws and regulations.
Agreements must include provisions specifying CSCs access to data upon contract termination and will include: Data format Length of time the data will be stored Scope of the data retained and made available to the CSCs Data deletion policy
Define, implement and evaluate processes, procedures and technical measures to ensure the security and retention of audit logs.
The information system protects audit records from unauthorized access, modification, and deletion.
Define, implement and evaluate processes, procedures and technical measures to enable the deletion of company data remotely on managed endpoint devices.
Critical Security Controls Version 8
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Securely dispose of data as outlined in the enterprise's data management process. Ensure the disposal process and method are commensurate with the data sensitivity.
NIST Special Publication 800-53 Revision 4
The organization: Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the…
Cloud Controls Matrix v3.0.1
Policies and procedures shall be established with supporting business processes and technical measures implemented for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means.
Policies and procedures shall be established for the secure disposal of equipment (by asset type) used outside the organization’s premises. This shall include a wiping solution or destruction process that renders recovery of information impossible. The erasure shall consist of a full overwrite of the drive to ensure that the erased drive is released to…
All mobile devices permitted for use through the company BYOD program or a company-assigned mobile device shall allow for remote wipe by the company’s corporate IT or shall have all company-provided data wiped by the company’s corporate IT.