S 2.431 Provisions governing the procedure for deleting or destroying information

Initiation responsibility: IT Security Officer, Head of Organisation, Head of IT, Top Management

Implementation responsibility: IT Security Officer

The appropriate procedure for securely deleting or destroying data depends on the type of data media as well as on the protection requirement of the information. For this reason, the information should be classified according to its protection requirements (see S 2.217 Careful classification and handling of information, applications, and systems).

Sensitive information is given to third parties on electronic data media as well as in analogue form for numerous reasons, for example in the framework of partnerships or outsourcing services. The time at which these data media need to be returned in their entirety or destroyed and the method used for returning or destroying the data media must be specified in advance in the contract.

A number of laws, regulations and provisions need to be followed when deleting or destroying data, although the applicable laws, regulations, and provisions can vary greatly depending on the type of organisation and its business processes (see also S 2.340 Consideration of legal framework conditions). The corresponding retention periods and deletion deadlines for the various types of data must be identified and maintained.

An appropriate method must be used for each of the different types of data media to securely delete the information stored on them or to destroy the entire data medium. It is important for the organisation to have an overview of the different types of data media used. The data media can be divided into analogue data media such as paper, typewriters' ribbons and fax machines as well as digital data media (electronic, magnetic and optical). In practice, analogue data media are often disposed of without control, for example by simply throwing them in the waste paper bin, because they are considered to be "office material" not subject to any special protection requirements.

The procedure necessary for the secure deletion or destruction of information should be specified for the employees in a security policy (see S 2.432 Policies for the deletion and destruction of information). Which procedures and which devices should be selected for the various data media is described in S 2.167 Selecting suitable methods for deleting or destroying data. In large organisations, it may be helpful to offer forms requesting the employees to enter all of the most important information and actions (such as the name of the employee, type of data stored, reasons for disposal and method used).

Since the technology and design of digital data media is subject to constant modification and development, it is also necessary to adapt the methods and procedures used to reliably delete and destroy information and data media.

If an external service provider is contracted to destroy data media, then the entire disposal process of the service provider, from the collection and transportation of the data media to their destruction, must be adequately secure (see S 2.436 Destruction of data media by external service providers).

In addition, it makes sense to remind the employees at regular intervals of the importance of handling information and IT components critical to security carefully (see S 2.217 Careful classification and handling of information, applications, and systems).

To delete sensitive files selectively, it must be ensured that not only the current version is deleted, but also that all previous versions, temporary files, file fragments etc., are deleted. The persons responsible must know where the operating system and application software stores copies of the edited data. Structured data storage makes it easier to find this information (see S 2.138 Structured data storage). However, experience has shown that some information is always forgotten when selectively deleting data from data media before passing them on to outside parties. For this reason, it is not recommended to selectively delete such information.

When data media need to be repaired, confidential data can fall into the wrong hands if the data media are not securely erased beforehand. The external service provider must be chosen carefully (see S 2.252 Choice of a suitable outsourcing service provider). The external service provider must provide written assurance that the information on the corresponding data media will not be read or copied provided that this is not necessary to perform the repair work.

When deleting and destroying information, it must be ensured that the data media containing copies of the data to be deleted is disposed of securely. Data media containing copies include backup data media, for example, but also RAID systems. After withdrawing an IT system from operation, the corresponding data backup media also need to be erased or made unusable as soon as the data stored on them is not needed any more.

Note: If the data is encrypted directly while storing it on digital data media using a suitable encryption product, then many of the problems mentioned will not even arise in the first place. For laptops, full encryption of the data is generally recommended. For server architectures, full encryption is often not feasible. Depending on the technology, full encryption of the server hard disks can be more complex and cost more than destroying the disks later. This applies especially to SAN/NAS architectures.

Copies are often made of analogue data media as well, for example old files in storage rooms that have not been used for a long time. These copies also need to be destroyed.

For information with high or very high protection requirements, the deletion and destruction must be documented, especially when disposing of analogue and digital data media.

Review questions:

© Federal Office for Information Security. All rights reserved.