Does your organization have procedures to securely remove confidential data from processors and memory when it is no longer needed?
Explanation
Sensitive data lingering in memory is the concern here, namely whether you have procedures to securely purge confidential data from processors and memory once it is no longer needed.
Confidential data that remains in memory after it's no longer needed creates unnecessary security risks, as it could be exposed through memory scraping attacks, system crashes that generate memory dumps, or other memory-based vulnerabilities.
Examples include clearing encryption keys after use, wiping authentication tokens after sessions end, or nullifying sensitive customer data after a transaction completes.
Evidence could include documented procedures for secure memory management, code review guidelines that address memory clearing, technical specifications showing implementation of secure memory handling functions (e.g., use of SecureString in .NET, explicit memory zeroing in C/C++), or automated testing that verifies memory is properly cleared after sensitive operations.
Implementation Example
Remove data that must remain confidential (e.g., from processors and memory) as soon as it is no longer needed
ID: PR.DS-10.232
Context
- Function
- PR: PROTECT
- Category
- PR.DS: Data Security
- Sub-Category
- The confidentiality, integrity, and availability of data-in-use are protected
Related questions
- Does your organization implement cryptographic controls (encryption, digital signatures, hashing) to protect the confidentiality and integrity of stored data across all relevant storage systems?
- Is full disk encryption implemented on all user endpoints (laptops, desktops, mobile devices) that store company data?
- Does your organization validate digital signatures to verify the integrity and authenticity of software before installation or use?
- Does your organization have a policy and technical controls to restrict the use of removable media devices?
- Does your organization physically secure all removable media containing unencrypted sensitive information?
- Does your organization implement cryptographic controls to protect the confidentiality and integrity of network communications?

