The purpose of this document is to ensure that information stored on equipment and media is safely destroyed or erased.
This document is applied to the entire Information Security Management System (ISMS) scope and all personal data processing activities.
Users of this document are all Resolver’s employees.
· !!! Asset owner must be notified about the date of final disposal in writing and with a request to respond and approve!!! · !!! The process should be completed Only after the approval is received!!! |
This document provides guidance on the information security and data privacy aspects of the destruction all data and licensed software stored in any devices, including but not limited to:
The person responsible for erasing data / destroying media must inform the owner of the asset in question about erasing /destroying data, and the asset owner must update the Inventory of Assets.
IT department is responsible for checking and erasing data from equipment unless the [A.8.2_Resolver_Corporate_Data_Handling_Policy] prescribes differently. Data must be securely erased, but if the process is not secure enough considering the sensitivity of the data, then the storage medium must be destroyed.
IT department is responsible for erasing data from mobile storage media unless the [A.8.2_Resolver_Corporate_Data_Handling_Policy] prescribes differently. Data must be erased utilizing DoD 5220.22-M (E) (a three-pass overwriting algorithm: first pass – with zeroes, second pass – with ones, and the last pass – with random data) compatible algorithm (you can utilize the freeware tool Eraser)
But, if the erasure process is not possible for some reason, or you are not sure about the completeness of the process, or in some specific cases, it is not secure enough, considering the sensitivity of the data, then the storage medium must be destroyed.
Resolver’s employees handling confidential or sensitive paper documents are responsible for storing them in a special bin provided by the shredding company.
Records of erasure/destruction must be kept for all data classified as “Confidential” and “Customer Confidential”. Records must include the following information: information about the media, date of erasure/destruction, method of erasure/destruction, the person who carried out the process.
All information classified as “Confidential” or “Customer Confidential” must be erased/destroyed by, or in the presence of, persons authorized to access the information in question.
Record name | Storage location | The person responsible for the storage | Controls for record protection | Retention time |
[Erasure/destruction records] – e-document format | [name of filing folder] | [job title] | The folder is restricted for read-only access to IT department members, Company CISO and Information Security Analyst | Records are stored for a period of 5 years |
DevOps department is responsible for erasing customer’s data from production environments.
· !!! All customer data is considered as confidential data!!! · !!! The Customer must be notified about the date of final disposal in written and with the request to response and approval!!! · !!! The process should be completed Only after the approval is received!!! |
Secure Deletion of Customer Data
All policies require the participation of staff and contractors to be successful. Any employee or contractor found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
This document is valid as of August 2023.
The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
EFFECTIVE ON: August 2023
REVIEW CYCLE: Annual at least and as needed