The organization will develop, disseminate, and review: 1) a formal systems redeployment or disposal policy that addresses purpose, scope, RACI info, and compliance; and 2) formal standards and procedures to facilitate implementing the policy. [UCF ID 00901]
Supporting and supported controls
This control directly supports:
• Operational management [UCF Control ID 00805]
This control has the following supporting controls:
• Prior to disposal or redeployment, all data storage media will be wiped clean. [UCF Control ID 01643]
• Maintain disposal or redeployment records [UCF Control ID 01644]
Authority documents complied with:
Australian Government ICT Security Manual (ACSI 33) § 3.4.26, 3.4.33, 3.4.45, 3.4.46, 3.4.51; FFIEC IT Examination Handbook – Information Security Exam Tier II Obj C.14, Exam Tier II Obj D.5; FFIEC IT Examination Handbook – Development and Acquisition Pg 32-33, Pg 56-57; FFIEC IT Examination Handbook – Operations Pg 27; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-007-1 R7; The Standard of Good Practice for Information Security CI3.1.3, CI3.1.6; ISO 17799:2000, Code of Practice for Information Security Management § 8.6.2; ISO 17799:2005 Code of Practice for Information Security Management § 9.2.6; ISO/IEC 27002-2005 Code of practice for information security management § 9.2.6; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14 § 3.4.6; ISO 15489-1, Information and Documentation: Records management: General § 9.9; PCAOB Auditing Standard No. 2 Implied; AICPA/CICA Privacy Framework § 5.2.2; Controls and Procedures, SEC 17 CFR 240.15d-15 Implied; Standard for Electronic Records Management Software, DOD 5015.2 § C2.2.6.6; California Information Practice Act, CA SB 1386 § 1.9
Sarbanes Oxley Guidance
§ 5.2.2 of AICPA/CICA Privacy Framework states that the organization should dispose of all personal information in a manner that will prevent loss, misuse, or unauthorized access.
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Development and Acquisition Pg 32-33, Pg 56-57 states that surplus and/or obsolete software, hardware, and data should be disposed of in an orderly manner.
Energy Guidance
The North American Electric Reliability Corporation's, CIP-007-1 R7 states that the Responsible Entity shall establish formal methods, processes, and procedures for disposal or redeployment of Cyber Assets within the Electronic Security Perimeter(s) as identified and documented in Standard CIP-005.
US Federal Security Guidance
NIST 800-53 and DoD 5015.2 Criteria call for the destruction of media and records, respectively. Both address the issue of removing residual data. While NIST provides controls for organizations to implement, DoD, as always, includes these procedures as automated controls performed by records management systems.
NIST Guidance
NIST 800-53 calls for the destruction of media and records, respectively. Both address the issue of removing residual data.
International Standards Organization Guidance
ISO 15489-1 and 15489-2 detail the disposition process extensively as summarized above, although only with respect to records.
The ISO/IEC 27002-2005 Code of practice for information security management § 9.2.6 states that prior to disposing equipment or sending it out for repair, the storage media should be checked for any sensitive information. If sensitive information is contained on the media, it should be physically destroyed, deleted, or overwritten in such a way that the data is not retrievable.
The ISO 17799:2005 Code of Practice for Information Security Management § 9.2.6 states that prior to disposing equipment or sending it out for repair, the storage media should be checked for any sensitive information. If sensitive information is contained on the media, it should be physically destroyed, deleted, or overwritten in such a way that the data is not retrievable.
Asia and Pacific Rim Guidance
The Australian Government ICT Security Manual (ACSI 33) § 3.4.26, 3.4.33, 3.4.45, 3.4.46, 3.4.51 states that hardware or media containing classified material should be sanitized or destroyed before being disposed. The following types of material cannot be sanitized and must be destroyed if they contain classified information: microfiche, microfilm, optical disks, printer ribbons, Programmable Read-Only Memory, and Read-Only Memory. To physically destroy media, it should be broken up or heated until it has been burnt to ash or melted..