A.11.2 Resolver Disposal & Destruction Policy

1. Purpose, scope, and users

The purpose of this document is to ensure that information stored on equipment and media is safely destroyed or erased.

This document is applied to the entire Information Security Management System (ISMS) scope and all personal data processing activities.

Users of this document are all Resolver’s employees.

2. Reference documents

  • ISO/IEC 27001:2013 standard, controls A.8.3.2, A.11.2.7
  • EU GDPR Article 32
  • Information Security Policy
  • Data Retention Policy
  • Data Handling Policy

3. Disposal and destruction of Corporate equipment and media

  • !!! Asset owner must be notified about the date of final disposal in writing and with a request to respond and approve!!!
  • !!! The process should be completed Only after the approval was received!!!

This document provides guidance on the security aspects of destruction all data and licensed software stored in any type of devices, included but not limited to:

  • Mobile / portable/removable storage media (e.g. on CD, DVD, USB flash drive, memory card, etc.; but also on paper) and on all equipment containing storage media (e.g. computers, mobile phones, tablets, laptops, etc.) must be erased or the medium destroyed before it is disposed of or reused. The retention period is defined in the Data Retention Policy.

The person responsible for erasing data / destroying media must inform the owner of the asset in question about erasing /destroying data, and the asset owner must update the Inventory of Assets.

3.1. Equipment

IT department is responsible for checking and erasing data from equipment unless the [A.8.2_Resolver_Corporate_Data_Handling_Policy] prescribes differently.  Data must be securely erased, but if the process is not secure enough considering the sensitivity of the data, then the storage medium must be destroyed.

3.2. Mobile storage media

IT department is responsible for erasing data from mobile storage media unless the [A.8.2_Resolver_Corporate_Data_Handling_Policy] prescribes differently. Data must be erased utilizing DoD 5220.22-M (E) (a three-pass overwriting algorithm: first pass – with zeroes, second pass – with ones and the last pass – with random data) compatible algorithm (you can utilize the freeware tool Eraser)

But, if the erasure process is not possible for some reason, or you are not sure about the completeness of the process, or in some specific case it not secures enough, considering the sensitivity of the data, then the storage medium must be destroyed.

3.3. Paper media

Resolver’s employees handling confidential or sensitive paper documents are responsible to store them in a special bin provided by the shredding company.

3.4. Erasure and destruction records; commission for the destruction of information

Records of erasure/destruction must be kept for all data classified as “Confidential” and “Customer Confidential”.  Records must include the following information: information about the media, date of erasure/destruction, method of erasure/destruction, the person who carried out the process.

All information classified as “Confidential” or “Customer Confidential” must be erased/destroyed by, or in the presence of, persons authorized to access the information in question.

4.  Managing records kept on the basis of this document

Record nameStorage locationThe person responsible for the storageControls for record protectionRetention time
[Erasure/destruction records] – e-document format[name of filing folder][job title]The folder is restricted for read-only access to IT department members, Company CISO and Information Security AnalystRecords are stored for a period of 5 years

5. Production Hosted environments disposal process

DevOps department is responsible for erasing customer’s data from production environments.

  • !!! All customer data is considered as confidential data!!!
  • !!! The Customer must be notified about the date of final disposal in written and with the request to response and approval!!!
  • !!! The process should be completed Only after the approval was received!!!
  • By default, if it’s not specially stipulated in MSA/ SLA or other agreement, the customer’s data is retained for 31 days after deactivation/termination/cancelation. After that time, Resolver will delete the database backup images containing the customer data. Once this is done, the data cannot be recovered.
  • For AWS hosted Cloud environments:
  • Customer data is stored in an encrypted manner, utilizing a secure key management system. Any accidental or intentional access to encrypted backup files without the encryption key will not lead to any information leakage or disclosure.
  • Data must be erased utilizing DoD 5220.22-M (E) (a three-pass overwriting algorithm: first pass – with zeroes, second pass – with ones, and the last pass – with random data) compatible algorithm (you can utilize the freeware tool Eraser) in the following product environments hosted at Rackspace:
    • Perspective, GRC Cloud, RiskVision, GAL, WRM
  • If customer requires assurance that their data will be securely deleted Resolver will ask the hosting provider to perform secure drive wiping and provide a “Certificate of Data Sanitization”, where it is applicable/available.
  • For the Core environment’s secure deletion process detailed information please see the following confluence page: link to internal resource – publicly not available

6. Non-Conformance

All policies require the participation of staff and contractors to be successful. Any employee or contractor found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

7. Validity and document management

This document is valid as of July 2020.

The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • The number of incidents arising from the unclear definition of the ISMS scope.
  • The number of corrective actions taken due to an inadequately defined ISMS scope.
  • Time put in by employees implementing the ISMS to resolve dilemmas concerning the unclear scope.

EFFECTIVE ON: September 2020

REVIEW CYCLE: Annual at least and as needed

REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.