Does your organization have a documented process for the timely return and secure disposal of assets containing organizational data?
Explanation
Asset recovery and disposal is the concern: whether a documented process ensures that devices and media holding organizational data are returned or securely destroyed once no longer needed. Without proper asset return and disposal processes, organizational data may remain accessible to unauthorized individuals, potentially leading to data breaches or compliance violations.
Evidence could include a documented asset return/disposal policy, exit checklists for departing employees, certificates of destruction from approved vendors, asset disposal logs, or records of media sanitization that comply with standards such as NIST SP 800-88.
Implementation Example
Verify that assets containing the organization's data are returned or properly disposed of in a timely, controlled, and safe manner
ID: GV.SC-10.116
Context
- Function
- GV: GOVERN
- Category
- GV.SC: Cybersecurity Supply Chain Risk Management
- Sub-Category
- Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement
Related questions
- Has your organization established a documented strategy that defines the objectives of your cybersecurity supply chain risk management program?
- Has your organization developed a formal cybersecurity supply chain risk management program with documented policies, procedures, and an implementation plan with milestones that is shared with relevant stakeholders?
- Has your organization developed and implemented the processes from the cybersecurity supply chain risk management program, that align with your security strategy, objectives, policies, and procedures with documented stakeholder agreement and participation?
- Has your organization established a formal cross-functional team or committee responsible for cybersecurity supply chain risk management?
- Has your organization formally designated specific roles or positions responsible for cybersecurity supply chain risk management activities?
- Has your organization documented cybersecurity supply chain risk management roles and responsibilities in a formal policy?

