S 2.13 Correct disposal of resources requiring protection

Initiation responsibility: Top Management, Head of IT, IT Security Officer

Implementation responsibility: Employee, Building Services Manager

Resources or equipment (e.g. printing paper, diskettes, streamer tapes, magnetic tapes, hard disks, CD-ROMs, DVDs, USB sticks, flash memory or flash cards, but also special toner cartridges, carbon paper, or carbon ribbons) are eventually no longer needed or must be disposed of due to defects. If they contain data worthy of protection, they must be disposed of in such a way that it is impossible to deduce any of the data previously stored on them. On data media still functioning properly, the data should be physically deleted. Non-functional data media and non-rewritable data media such as files, CD-ROMs, and DVDs must be destroyed mechanically (see S 1.15 Deleting and destroying data).

The disposal method for material requiring protection should be governed by a special security policy. The equipment required for disposal (such as file shredders, for example) must be available in the organisation.

If material requiring protection is collected prior to disposal, the collected material must be kept under lock and key and protected against unauthorised access.

If safe and ecological disposal cannot be performed in a given company or government agency, the companies contracted for disposal must agree to comply with the required security measures. A sample contract can be found among the Resources for IT-Grundschutz on the BSI websites. The disposal procedure should be checked regularly to ensure it is reliable.

Review questions:

© Federal Office for Information Security. All rights reserved.