DCS-01 Off-Site Equipment Disposal Policy and Procedures
Summary
When it's time to retire old hardware, organizations need to ensure any sensitive data is properly wiped before disposal. Having a well-defined policy and process for securely disposing of off-site equipment is critical. This includes rendering data unrecoverable through sanitization or physical destruction.
Where did this come from?
This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix here to learn more. The CCM provides a comprehensive set of controls to help organizations assess cloud computing risk. Complementary guidance can be found in NIST SP 800-88 Guidelines for Media Sanitization.
Who should care?
This is relevant for:
- IT Asset Managers responsible for device lifecycle
- Security Officers needing to protect sensitive data
- Compliance Officers demonstrating proper disposal to auditors
- Procurement staff sourcing offsite equipment leasing/disposal vendors
What is the risk?
Improperly disposing of equipment creates the risk of unauthorized disclosure of sensitive data. Adversaries dumpster diving or accessing resold equipment could retrieve deleted files. Organizations can face reputational damage, legal liability, and regulatory fines if customer data leaks this way. While rare for a single device, aggregate risk is high given the large volume of devices organizations retire.
What's the care factor?
For organizations handling regulated data (e.g. financial, healthcare, government), secure disposal is a must to avoid compliance violations. Those with less sensitive data should still employ basic disposal practices as a due diligence measure. Reputational damage from a data leak can impact organizations of any size and sector.
When is it relevant?
Secure disposal policies apply whenever offsite equipment reaches end-of-life, such as:
- Leased devices returned to vendor
- Employee-owned BYOD devices
- Remote office closures
- Equipment resale/donation
Onsite equipment would follow similar procedures, but with more oversight. Secure disposal is less relevant for cloud-hosted virtual machines that don't involve physical assets.
What are the trade offs?
Secure disposal does require time and resources to implement, especially at scale:
- Cost of shredding/destruction services vs resale value
- Administrative overhead of disposal tracking
- Vendor management to audit partners' disposal practices
- Reduced agility in quickly decommissioning old assets
However, these costs tend to be far less than a major data breach. Automating aspects like disposal certificates help streamline the process.
How to make it happen?
- Maintain an inventory of all offsite equipment by location/asset tag
- Define data sanitization standards based on asset type and data sensitivity
- Document step-by-step disposal procedures:
- Run full disk erasure using tool like DiskDelete or DBAN
- Verify no data is retrievable using forensic analysis
- If equipment not destroyed, remove/destroy storage media
- Record disposal action and issue certificate of destruction
- Communicate disposal policy to all staff
- Train applicable personnel on disposal procedures
- Conduct regular audits of asset inventory and disposal records
- Have a 3rd party periodically test a sample of disposed assets
- Review and update policy/procedures annually
What are some gotchas?
- Many tools can only wipe entire disks, not individual files/folders
- Secure erase commands like ATA Secure Erase require BIOS support
- Disposal personnel need physical access to devices and boot media
- Devices with FDE/self-encrypting drives handle crypto erase differently
- Cloud providers have own data deletion procedures when clients leave
- Verify supply chain integrity of disposal vendors
What are the alternatives?
- Physical destruction (shredding) skips the need for data wiping
- Keeping retired assets in secure storage vs offsite disposal
- Repurposing old devices for less sensitive data as an alternative to disposal
- Moving data to cloud to avoid device disposal altogether
Explore further
- NIST 800-88 Guidelines for Media Sanitization
- IAITAM Best Practices Library
- ISO/IEC 27040 Storage Security
- PCI DSS v3.2.1 Req 9.8 Destroy Media
- CIS Controls v8 3.2 Data Disposal
