Does your organization provide secure methods for destroying paper documents, storage media, and other physical forms of data storage?
Explanation
Proper data destruction methods prevent unauthorized access to sensitive information that may remain on physical media after disposal. Organizations should have documented procedures for securely destroying different types of media including paper shredding, hard drive degaussing or physical destruction, and secure disposal of removable media like USB drives or backup tapes.
Evidence could include a data destruction policy document, contracts with certified data destruction vendors, photographs of on-site destruction equipment (such as cross-cut shredders or hard drive destroyers), or certificates of destruction from third-party services.
Implementation Example
Offer methods for destroying paper, storage media, and other physical forms of data storage
ID: ID.AM-08.146
Context
- Function
- ID: IDENTIFY
- Category
- ID.AM: Asset Management
- Sub-Category
- Systems, hardware, software, services, and data are managed throughout their life cycles
Related questions
- Does your organization maintain comprehensive inventories of all hardware assets, including IT equipment, IoT devices, operational technology (OT), and mobile devices?
- Does your organization implement automated network monitoring to detect new hardware and update inventory records in real-time?
- Does your organization maintain a comprehensive inventory of all software and services, including commercial, open-source, custom, API, and cloud-based applications?
- Does your organization implement continuous monitoring for software and service inventory changes across all platforms, including containers and virtual machines?
- Does your organization maintain a comprehensive inventory of all systems within your environment?
- Does your organization maintain documented baselines of expected network communication patterns and data flows for both wired and wireless networks?

