The purpose of this document is to ensure that information stored on equipment and media is safely destroyed or erased.
This document is applied to the entire Information Security Management System (ISMS) scope and all personal data processing activities.
Users of this document are all Resolver’s employees.
This document provides guidance on the security aspects of destruction all data and licensed software stored in any type of devices, included but not limited to:
The person responsible for erasing data / destroying media must inform the owner of the asset in question about erasing /destroying data, and the asset owner must update the Inventory of Assets.
IT department is responsible for checking and erasing data from equipment unless the [A.8.2_Resolver_Corporate_Data_Handling_Policy] prescribes differently. Data must be securely erased, but if the process is not secure enough considering the sensitivity of the data, then the storage medium must be destroyed.
IT department is responsible for erasing data from mobile storage media unless the [A.8.2_Resolver_Corporate_Data_Handling_Policy] prescribes differently. Data must be erased utilizing DoD 5220.22-M (E) (a three-pass overwriting algorithm: first pass – with zeroes, second pass – with ones and the last pass – with random data) compatible algorithm (you can utilize the freeware tool Eraser)
But, if the erasure process is not possible for some reason, or you are not sure about the completeness of the process, or in some specific case it not secures enough, considering the sensitivity of the data, then the storage medium must be destroyed.
Resolver’s employees handling confidential or sensitive paper documents are responsible to store them in a special bin provided by the shredding company.
Records of erasure/destruction must be kept for all data classified as “Confidential” and “Customer Confidential”. Records must include the following information: information about the media, date of erasure/destruction, method of erasure/destruction, the person who carried out the process.
All information classified as “Confidential” or “Customer Confidential” must be erased/destroyed by, or in the presence of, persons authorized to access the information in question.
|Record name||Storage location||The person responsible for the storage||Controls for record protection||Retention time|
|[Erasure/destruction records] – e-document format||[name of filing folder]||[job title]||The folder is restricted for read-only access to IT department members, Company CISO and Information Security Analyst||Records are stored for a period of 5 years|
DevOps department is responsible for erasing customer’s data from production environments.
All policies require the participation of staff and contractors to be successful. Any employee or contractor found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
This document is valid as of July 2020.
The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
EFFECTIVE ON: September 2020
REVIEW CYCLE: Annual at least and as needed
REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.