Does your organization have a documented process for securely destroying data according to your retention policy, including maintaining destruction records?
Explanation
Secure disposal at the end of the data lifecycle is the concern here, namely whether you destroy data per your retention policy using appropriate methods and keep destruction records. Proper data destruction prevents unauthorized access to sensitive information that is no longer needed and demonstrates compliance with data protection regulations like GDPR or CCPA.
Evidence could include a documented data destruction procedure, a sample of destruction certificates or logs showing when and how data was destroyed, and records of the destruction method used (e.g., degaussing, shredding, secure wiping with specified tools, or certificates from third-party destruction services).
Implementation Example
Securely destroy stored data based on the organization's data retention policy using the prescribed destruction method, and keep and manage a record of the destructions
ID: ID.AM-08.144
Context
- Function
- ID: IDENTIFY
- Category
- ID.AM: Asset Management
- Sub-Category
- Systems, hardware, software, services, and data are managed throughout their life cycles
Related questions
- Does your organization maintain comprehensive inventories of all hardware assets, including IT equipment, IoT devices, operational technology (OT), and mobile devices?
- Does your organization implement automated network monitoring to detect new hardware and update inventory records in real-time?
- Does your organization maintain a comprehensive inventory of all software and services, including commercial, open-source, custom, API, and cloud-based applications?
- Does your organization implement continuous monitoring for software and service inventory changes across all platforms, including containers and virtual machines?
- Does your organization maintain a comprehensive inventory of all systems within your environment?
- Does your organization maintain documented baselines of expected network communication patterns and data flows for both wired and wireless networks?

