Content library
CyberFundamentals (Belgium)
PR.IP-6: Data is destroyed according to policy.

How to fill the requirement

CyberFundamentals (Belgium)

PR.IP-6: Data is destroyed according to policy.

Task name
Priority
Status
Theme
Policy
Other requirements
Personnel guidelines for safe disposal of paper data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Physical security
Non-electronic data and copies
requirements

Task is fulfilling also these other security requirements

I17: Salassa pidettävien tietojen jäljentäminen - Tulostus ja kopiointi
Katakri
8.3.2: Disposal of media
ISO27 Full
6.6.4: Fyysisten tilojen, laitteiden ja tulosteiden turvallisuus
Self-monitoring
A.11.7: Secure disposal of hardcopy materials
ISO 27018
PR.DS-3: Asset management
NIST
1. Task description

Papers containing sensitive information should be disposed of in an agreed manner, for example, using a shredder or by incineration.

Archiving and destruction processes for data sets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Management of data sets
requirements

Task is fulfilling also these other security requirements

PR.IP-6: Data destruction
NIST
A.7.4.5: PII de-identification and deletion at the end of processing
ISO 27701
A.7.4.8: Disposal
ISO 27701
8.10: Information deletion
ISO27k1 Full
P4.3: Secure disposal of personal information
SOC 2
1. Task description

Organization must document the retention periods for data sets and their possible archiving process (including archiving method, location or destruction). At the end of the retention period, the data must be archived or destroyed without delay in a secure manner.

When destroying data contained in data systems, the following points should be taken into account:

  • suitable method of destruction (e.g. overwriting, cryptographic erasure ) is chosen taking into account the functional and statutory requirements
  • the need to preserve evidence of data destruction is discussed
  • when using third parties for data destruction, the requirement of evidence and the inclusion of destruction requirements in supplier contracts are discussed

The process of archiving or destroying data is defined in connection with the documentation, and the owner of the data is responsible for its implementation.

Defining and documenting retention times for data sets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
requirements

Task is fulfilling also these other security requirements

21 §: Tietoaineistojen säilytystarpeen määrittäminen
TiHL
5. Principles relating to processing of personal data
GDPR
18.1.3: Protection of records
ISO27 Full
PR.IP-6: Data destruction
NIST
A.7.4.2: Limit processing
ISO 27701
1. Task description

Limiting the retention time is one of the principles of the processing of personal data. If the retention period of the data is not provided by law, when determining the retention periods, the following must be taken into account, for example:

  • the necessity of the data for its original processing purpose
  • implementation and verification of the interests, rights, obligations and legal protection of a natural or legal person
  • the legal effect of the contract or other legal action in civil matters
  • statutory limitation periods
  • criminal limitation periods

Describe your own process for evaluating retention periods.

Process for secure disposal of removable media containing confidential information
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Removable media
requirements

Task is fulfilling also these other security requirements

8.3.2: Disposal of media
ISO27 Full
A.11.7: Secure disposal of hardcopy materials
ISO 27018
11.2.7: Secure disposal or re-use of equipment
ISO27 Full
PR.DS-3: Asset management
NIST
PR.IP-6: Data destruction
NIST
1. Task description

Unnecessary media should be disposed of in a safe, industry-accepted manner (such as by incineration, shredding or wiping) in accordance with formal procedures. Media that requires safe disposal must be clearly marked.

Data destroyed in accordance with the process should not be recoverable, even by forensic means.

No items found.