ID.AM-08.144

Does your organization have a documented process for securely destroying data according to your retention policy, including maintaining destruction records?

Explanation

This question assesses whether your organization properly destroys data when it reaches the end of its retention period using appropriate destruction methods, and maintains records of these destructions. Proper data destruction prevents unauthorized access to sensitive information that is no longer needed and demonstrates compliance with data protection regulations like GDPR or CCPA. Evidence could include a documented data destruction procedure, a sample of destruction certificates or logs showing when and how data was destroyed, and records of the destruction method used (e.g., degaussing, shredding, secure wiping with specified tools, or certificates from third-party destruction services).

Implementation Example

Securely destroy stored data based on the organization's data retention policy using the prescribed destruction method, and keep and manage a record of the destructions

ID: ID.AM-08.144

Context

Function: ID: IDENTIFY
Category: ID.AM: Asset Management
Sub-Category: Systems, hardware, software, services, and data are managed throughout their life cycles

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub