Does your organization have a documented hardware disposal process that ensures secure, responsible, and auditable destruction or recycling of equipment?
Explanation
Improper hardware disposal can lead to data breaches if storage media containing sensitive information is not properly sanitized before disposal. A comprehensive hardware disposal process should include data wiping/destruction procedures, environmentally responsible recycling, and documentation for chain of custody and final disposition of assets.
Evidence could include a formal hardware disposal policy document, certificates of destruction from third-party disposal vendors, asset disposition logs showing the complete lifecycle tracking of hardware from acquisition to disposal, or audit reports verifying compliance with the disposal procedures.
Implementation Example
Perform hardware disposal in a secure, responsible, and auditable manner
ID: PR.PS-03.249
Context
- Function
- PR: PROTECT
- Category
- PR.PS: Platform Security
- Sub-Category
- Hardware is maintained, replaced, and removed commensurate with risk
Related questions
- Has your organization established and maintained hardened baseline configurations for all systems that enforce security policies and provide only essential capabilities?
- Does your organization have a documented process for reviewing default configuration settings for security implications when installing or upgrading software?
- Does your organization have a process to monitor software for deviations from approved baselines?
- Does your organization implement and adhere to defined timeframes for routine and emergency patching as specified in your vulnerability management plan?
- Does your organization follow an immutable infrastructure approach for container deployments by replacing rather than updating existing container instances when updates are required?
- Does your organization have a process to identify and replace end-of-life software and services with supported versions?

