IG1 IG2 IG3

Securely Dispose of Data

Control Group: 3. Data Protection

Asset Type: Data

Security Function: Protect

Description

Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are commensurate with the data sensitivity.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Draft policy/procedure document

7

Obtain stakeholder review and approval

8

Communicate to affected personnel

9

Schedule periodic review and updates

Tool Recommendations

Microsoft Purview Forrester Wave Leader, Data Security Platforms 2023

Data governance and compliance platform with DLP, information protection, sensitivity labels, and insider risk management

Microsoft · Per-user subscription (E5/standalone)

Symantec DLP Forrester Wave Leader, Data Security Platforms 2023

Enterprise data loss prevention covering endpoint, network, storage, and cloud channels with policy-based content inspection

Broadcom · Enterprise license

Netskope Data Protection Gartner MQ Leader, SSE 2024; Forrester Wave Leader, Data Security 2023

Cloud-native DLP and CASB platform providing inline data protection for SaaS, IaaS, web, and endpoint

Netskope · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Data Recovery from Improperly Disposed Media

Confidentiality

Attackers or dumpster divers recover sensitive data from hard drives, SSDs, or tapes that were discarded without proper sanitization using forensic data recovery tools.

Cloud Storage Data Remnants

Confidentiality

Sensitive data remains recoverable in cloud storage or SaaS platforms after deletion because secure disposal methods were not applied, leaving data accessible to provider staff or through API enumeration.

Vulnerabilities (When Safeguard Absent)

No Secure Data Disposal Process

Without defined disposal methods commensurate with data sensitivity, media containing confidential data is discarded through standard waste channels without sanitization.

Inconsistent Media Destruction Practices

Absence of documented disposal procedures means different departments handle media destruction differently, with some using inadequate methods like simple file deletion.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Data Retention and Disposal Policy

Control 3

Related Safeguards in Control 3

3.1 Establish and Maintain a Data Management Process

3.2 Establish and Maintain a Data Inventory

3.3 Configure Data Access Control Lists

3.4 Enforce Data Retention

3.6 Encrypt Data on End>User Devices

3.7 Establish and Maintain a Data Classification Scheme

3.8 Document Data Flows

3.9 Encrypt Data on Removable Media

3.10 Encrypt Sensitive Data in Transit

3.11 Encrypt Sensitive Data at Rest

3.12 Segment Data Processing and Storage Based on Sensitivity

3.13 Deploy a Data Loss Prevention Solution

3.14 Log Sensitive Data Access