Assets and media shall be disposed of safely.
Guidance
- When eliminating tangible assets like business computers/laptops, servers, hard drive(s) and other
storage media (USB drives, paper…), ensure that all sensitive business or personal data are securely
deleted (i.e. electronically “wiped”) before they are removed and then physically destroyed (or recommissioned). This is also known as “sanitization” and thus related to the requirement and guidance in PR.IP-6.
- Consider installing a remote-wiping application on company laptops, tablets, cell phones, and other
mobile devices.
The organization shall enforce accountability for all its business-critical assets throughout
the system lifecycle, including removal, transfers, and disposition.
Guidance
Accountability should include:
- The authorization for business-critical assets to enter and exit the facility.
- Monitoring and maintaining documentation related to the movements of business-critical assets.
The organization shall ensure that disposal actions are approved, tracked, documented, and verified.
Guidance
Disposal actions include media sanitization actions (See PR.IP-6).
The organization shall ensure that the necessary measures are taken to deal with loss, misuse, damage, or theft of assets.
Guidance
This can be done by policies, processes & procedures (reporting), technical & organizational means
(encryption, Access Control (AC), Mobile Device Management (MDM), monitoring, secure wipe, awareness, signed user agreement, guidelines & manuals, backups, inventory update …).
The organization has defined procedures for the safe disposal of laptops that are no longer required.
Papers containing sensitive information should be disposed of in an agreed manner, for example, using a shredder or by incineration.
When offering cloud services, the organisation must have procedures in place for safe disposal or potential reuse of resources utilized in service providing, such as:
When utilizing cloud services, the customer organisation should ensure secure disposal by requesting confirmation of these procedures from the cloud service provider.
Unnecessary media should be disposed of in a safe, industry-accepted manner (such as by incineration, shredding or wiping) in accordance with formal procedures. Media that requires safe disposal must be clearly marked.
Data destroyed in accordance with the process should not be recoverable, even by forensic means.
The organization should define policies, processes or technical measures to handle the loss, misuse, damaging and theft of organizational assets. These could include the following:
When removable media is an important part of an organisation's operations, more specific rules have been defined for securing removable media and the information they contain.
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.
.png)
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
