ISO 27001:2022 A 8.10 Information deletion

A fundamental principle of Information security is that information that is not necessary for the business should not be kept. This principle is known as data minimization, and it is meant to protect against unnecessary and disproportionate harm in the event of a security breach. The most common method is to enact and enforce Information retention and deletion policies across an organization This addresses deletion of Information when no longer needed or when storage times exceed documented retention periods. The intent is to control the potential for leakage of sensitive data and to comply with any relevant privacy and other requirements. Deletions could include data in IT systems, removable media, or cloud services. Information should be deleted when it is no longer needed for authorized purposes. The period of time that information remains necessary for authorized purposes, however, is not standardized across organizations, industries, or operations. Determining the appropriate time period requires an underlying knowledge of the information a company has, how that is classified (for example, if it includes personal information), how that information is used in the business, and any laws applicable to its retention. The most common means of determining this time period is through the process of developing and documenting information retention policies and schedules. A information retention policy is a corporate policy that goes beyond statutory legal requirements, and directs operations about which information the company should retain, delete, or retain for a period and then delete. For information that is permitted under policy to be retained for a given period of time and then must be deleted, the retention period is generally documented in a retention schedule. Both the policy and the schedule should reflect the types of information the company has, the laws applicable to its retention, and the risk position of the company.

Control

Information stored in information systems, devices or in any other storage media should be deleted when no longer required.

Purpose

To prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion.

ISO 27002 Implementation Guidance

General
Sensitive information should not be kept for longer than it is required to reduce the risk of undesirable disclosure. When deleting information on systems, applications and services, the following should be considered:

  1. selecting a deletion method (e.g. electronic overwriting or cryptographic erasure) in accordance with business requirements and taking into consideration relevant laws and regulations;
  2. recording the results of deletion as evidence;
  3. when using service suppliers of information deletion, obtaining evidence of information deletion from them.

Where third parties store the organization’s information on its behalf, the organization should consider the inclusion of requirements on information deletion into the third-party agreements to enforce it during and upon termination of such services.
Deletion methods
In accordance with the organization’s topic-specific policy on data retention and taking into consideration relevant legislation and regulations, sensitive information should be deleted when no longer required, by:

  1. configuring systems to securely destroy information when no longer required (e.g. after a defined period subject to the topic-specific policy on data retention or by subject access request);
  2. deleting obsolete versions, copies and temporary files wherever they are located;
  3. using approved, secure deletion software to permanently delete information to help ensure information cannot be recovered by using specialist recovery or forensic tools;
  4. using approved, certified providers of secure disposal services;
  5. using disposal mechanisms appropriate for the type of storage media being disposed of (e.g. degaussing hard disk drives and other magnetic storage media).

Where cloud services are used, the organization should verify if the deletion method provided by the cloud service provider is acceptable, and if it is the case, the organization should use it, or request that the cloud service provider delete the information. These deletion processes should be automated in accordance with topic-specific policies, when available and applicable. Depending on the sensitivity of information deleted, logs can track or verify that these deletion processes have happened. To avoid the unintentional exposure of sensitive information when equipment is being sent back to vendors, sensitive information should be protected by removing auxiliary storage (e.g. hard disk drives) and memory before equipment leaves the organization’s premises. Considering that the secure deletion of some devices (e.g. smartphones) can only be achieved through destruction or using the functions embedded in these devices (e.g. “restore factory settings”), the organization should choose the appropriate method according to the classification of information handled by such devices. Control measures described in clause for Secure disposal or re-use of equipment should be applied to physically destroy the storage device and simultaneously delete the information it contains. An official record of information deletion is useful when analyzing the cause of a possible information leakage event.

There are a variety of methods for deleting data. These methods vary in effectiveness, from simply pressing the Delete button on a personal computer to manual destruction of the media on which the data is stored. The best method of data deletion can be determined based on the type and nature of the data and the risk associated with its exposure. As well as managing the ongoing use of data and information on internal servers and storage devices (HDDs, arrays, USB drives etc.), organisation’s need to be acutely aware of their obligations towards removing and deleting any data held on employees, users, customers or organisations when it is reasonably necessary to do so (usually when it is no longer needed).It can sometimes be difficult to ascertain when data should be deleted. As a general rule, organisations are to delete data when it is no longer required, in order to minimize what is referred to as undesirable disclosure – i.e. data being viewed by, or passed on to, individuals and organisations that are not authorized to access it. In accordance with this guideline, when the time comes to delete data, organisations should:

  • Opt for an appropriate deletion method that fulfils any prevailing laws or regulations. Techniques include standard deletion, overwriting or encrypted deletion.
  • Log the results of the deletion for future reference.
  • Ensure that, if a specialised deletion vendor is used, the organisation obtains adequate proof (usually via documentation) that the deletion has been carried out.
  • If a third-party vendor is being used, organisations should stipulate their precise requirements, including deletion methods and timescales, and ensure that deletion activities are covered under a binding agreement.

When formulating a deletion process, organisations should:

  • Configure internal systems to delete data and information in accordance with the organisation’s topic-specific policy on retention.
  • Ensure that deletion extends to temporary files, cached information, copies of data and legacy versions.
  • Consider using specialized deletion utility applications to minimize risk.
  • Only contract out to certified, verifiable deletion specialists, if the need arises to use a third-part service.
  • Implement physical deletion measures that are appropriate to the device in question (e.g. degaussing magnetic storage media, restoring factory settings on a smartphone or physical destruction).
  • Ensure that cloud service providers are aligned with the organisation’s own deletion requirements (as far as is possible).

When shipping equipment (notably servers and workstations) to vendors, organisations should remove any internal or external storage devices before doing so. There should be full traceability and record keeping to evidence which information assets have been destroyed and how. For physical drives this may include recording the serial numbers of the hard drives, however it should be considered that serial numbers alone may not be enough to maintain a complete audit trail of the data. When using service suppliers for information deletion it is important to obtain evidence of information deletion from them, and conduct enough due diligence to be satisfied that the process has been completed effectively.An official record of information deletion is useful when analyzing the cause of a possible information leakage event.

Businesses must only keep personal data as long as necessary and only for the purposes they have specified. To manage this legal obligation successfully, you’ll need to start with an up-to-date data retention policy and schedule. These should clearly identify which types of personal data your business processes, for what purposes, how long each should typically be kept and under what circumstances you might need to hold it for longer. These are the 5 key steps when an agreed retention period (as shown on your retention schedule) is reached.

  • Identify the relevant records which have reached their retention period
  • Notify the relevant business owner to confirm they are no longer needed
  • Consider any changes in circumstances which may require longer retention of the data
  • Make a decision on what happens to the data
  • Document the decision and keep evidence of the action

There are different approaches an organisation can take when the data retention period is reached, such as:

  • Delete it – usually the default option
  • Anonymise it
  • Securely destroy it – for physical records, such as HR files
  • Deletion of records might seem the obvious choice, and it’s often the best one too.

But take care how you delete data. Sometimes deleting whole records can affect key processes on your systems such as reporting, algorithms and other programs. There are software methods of deleting data, which may involve removing whole records from a dataset or overwriting them. For example, using of zeros and ones to overwrite the personal identifiers in the data. Once the personal identifiers are overwritten, that data will be rendered unrecoverable, and therefore it’s no longer classed as personal data. This deletion process should include backup copies of data. Whilst personal data may be instantly deleted from live systems, personal data may still remain within the backup environment, until it is overwritten. If the backup data cannot be immediately overwritten it must be put ‘beyond use’, i.e. you must make sure the data is not used for any other purpose and is simply held on your systems until it’s replaced, in line with an established schedule. Destruction is the final action for about 95% of most organisations’ physical records. Physical destruction may include shredding, pulping or burning paper records. Destruction is likely to be the best course of action for physical records when the organisation no longer needs to keep the data, and when it does not need to hold data in an anonymised format. Controllers are accountable for the way personal data is processed and consequently, the disposal decision should be documented in a disposal schedule. Many organisations use other organisations to manage their disposal or destruction of physical records. There are benefits of using third parties, such as reducing in-house storage costs. Remember, third parties providing this kind of service will be regarded as a data processor, therefore you’ll need to make sure an appropriate contract is in place which includes the usual data protection clauses. Destruction may be carried out remotely following an agreed process. For instance, a processor might provide regular notifications of batches due to be destroyed in line with documented retention periods. Retention periods will also apply to unstructured data which contains personal identifiers. The most common being electronic communications records such emails, instant messages, call recordings and so on. As you can imagine, unstructured data records present some real challenges. You’ll need to be able to review the records to find any personal data stored there, so it can be deleted in line with your retention schedules, or for an erasure request. Depending on the size of your organisation, you may need to use specialist software tools to perform content analysis of unstructured data.

Leave a Reply