S 1.15 Deleting and destroying data
Description
In order to ensure that information does not fall into the wrong hands, standard procedures are necessary for the complete and reliable deletion and destruction of data and data media. Consideration must be given to information requiring protection that is stored on paper or other analogue data media such as microfilm (video, 8-mm film, photos, phonographic records, documents, audio cassettes) as well as information stored on digital data media (electronic, magnetic or optical data media) such as DVDs and CDs, for example.
If data media are passed to third parties, sold or disposed of without being erased or when only erased inadequately, then the unintended disclosure of information can cause significant damage. Cryptographic keys, passwords, confidential information, and other highly sensitive data stored in memory or in swap files in particular pose potential risks.
For this reason, every government agency and company must specify procedures for secure deletion. This module describes how an organisation can create a corresponding concept for the secure deletion and destruction of data.
Threat scenario
The following typical threats to the IT-Grundschutz of the data requiring protection (and therefore for the data to be deleted securely) are assumed to exist:
Organisational Shortcomings
T 2.1 | Lack of, or insufficient, rules |
T 2.2 | Insufficient knowledge of rules and procedures |
T 2.3 | Lack of, inadequate, incompatible resources |
T 2.27 | Lack of or insufficient documentation |
T 2.48 | Inadequate disposal of data media and documents at the home workplace |
T 2.54 | Loss of confidentiality through hidden pieces of data |
T 2.102 | Insufficient awareness of IT security |
Human Error
T 3.1 | Loss of data confidentiality or integrity as a result of user error |
T 3.13 | Passing on false or internal information |
T 3.31 | Unstructured data organisation |
T 3.44 | Carelessness in handling information |
T 3.93 | Incorrect handling of defective data media |
Deliberate Acts
T 5.71 | Loss of confidentiality of classified information |
T 5.146 | Loss of confidentiality due to swap files |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
A series of safeguards must be implemented for the secure deletion and destruction of data. The steps to take to accomplish this as well as the safeguards to consider in each step are listed in the following. The activities are naturally focused in the "disposal" life cycle phase. However, data media are often passed on during the other phases so that information existing on the media that should not be disclosed needs to be securely deleted.
Planning and design
A standardised procedure for the deletion or destruction of data media prevents the misuse of the information stored on them (see S 2.431 Provisions governing the procedure for deleting or destroying information). This procedure should be described in an easy-to-read guideline that is available to all employees (see S 2.432 Policies for the deletion and destruction of information).
Purchasing
When purchasing devices for the deletion or destruction of data, the requirements for the particular products resulting from the concept must be formulated, and suitable products or services must be selected based on these requirements (see S 2.434 Purchasing suitable devices for deleting or destroying data and S 2.436 Destruction of data media by external service providers).
Implementation
All employees should be familiar with the methods specified for deleting information and destroying data media (see S 3.67 Instructing all employees of the methods for deleting or destroying data).
Operation
In general, all types of information should be administered according to clearly defined rules. In addition, the information should be categorised according to its protection requirements. This makes it easier to identify all information that needs to be deleted or destroyed and find out which areas process and store this information (see S 2.217 Careful classification and handling of information, applications and systems).
Disposal
When withdrawing data media and IT systems from operation, various safeguards must be taken to ensure that no important data is lost and no sensitive data is left on the media or systems. Corresponding security recommendations can be found in S 4.234 Orderly withdrawal from operation of IT systems and data media. Recommendations for various types of IT systems can be found in the corresponding modules of the IT-Grundschutz Catalogues, for example in S 2.320 Orderly withdrawal from operation of servers and S 2.323 Orderly withdrawal from operation of clients.
The bundle of safeguards for the "deletion and destruction of data" is presented in the following.
Planning and design
S 2.3 | (B) | Data media control |
S 2.431 | (A) | Provisions governing the procedure for deleting or destroying information |
S 2.432 | (Z) | Policies for the deletion and destruction of information |
S 2.433 | (W) | Overview of the methods for deleting and destroying data |
Purchasing
S 2.434 | (Z) | Purchasing suitable devices for deleting or destroying data |
S 2.435 | (Z) | Selecting suitable shredders |
S 2.436 | (Z) | Destruction of data media by external service providers |
Implementation
S 3.67 | (C) | Instructing all employees of the methods for deleting or destroying data |
S 4.32 | (B) | Physical deletion of data media before and after usage |
S 4.64 | (C) | Verification of data before transmission / elimination of residual information |
S 4.325 | (Z) | Deletion of swap files |
Operation
S 2.217 | (B) | Careful classification and handling of information, applications and systems |
Disposal
S 2.13 | (A) | Correct disposal of resources requiring protection |
S 2.167 | (B) | Selecting suitable methods for deleting or destroying data |
S 4.234 | (B) | Orderly withdrawal from operation of IT systems and data media |