CON.6 Deletion and Destruction
Deletion and destruction constitute an essential component of the lifecycle of information on storage media. The term storage media in this building block...
Description
Introduction
Deletion and destruction constitute an essential component of the lifecycle of information on storage media. The term storage media in this building block encompasses both analogue storage media such as paper or film as well as digital storage media such as hard disks, SSDs or CDs.
When storage media are decommissioned, the information they contain could be exposed if the media have not previously been securely deleted or completely destroyed. This can affect not only clients and servers but all IT systems, such as IoT devices (e.g. smart TVs), on which only seemingly insignificant information is stored. However, IoT devices are often connected via WLAN and store the access credentials required for this. These access credentials can themselves be sensitive information and must not fall into the hands of unauthorised persons.
Ordinary deletion operations using operating system functions do not generally achieve secure deletion that prevents data from being reconstructed. Special procedures are therefore required to securely delete information. However, storage media can only be effectively and securely deleted in their entirety, and this is usually only possible to a limited extent for individual files.
In addition, statutory provisions such as the German Commercial Code or data protection laws have far-reaching consequences for the deletion and destruction of documents. On the one hand, these give rise to retention periods for, for example, business records, balance sheets or contracts, which prohibit early deletion. On the other hand, these statutory provisions give rise to legal claims for the secure and timely deletion of data where, for example, personal data is involved.
Objective
This building block describes how information in institutions is securely deleted and destroyed, and how a corresponding, holistic concept is created.
Scope and Modeling
The building block CON.6 Deletion and Destruction is to be applied once to the entire information network. The building block contains general procedural, technical and organisational requirements for deletion and destruction. The building block only addresses the secure deletion and destruction of complete storage media, since the secure deletion of individual files is in most cases only possible with limitations.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information networks, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance for the building block CON.6 Deletion and Destruction.
Absent or Inadequately Documented Rules for Deletion and Destruction
If there are no secure processes and procedures for the deletion and destruction of information and storage media, or if they are not correctly applied, it is not ensured that confidential information is securely deleted or destroyed. It is therefore not foreseeable where this information ends up and whether it is accessible to third parties. This risk is particularly high for digital storage media and IT systems that are to be decommissioned, since it is not always immediately apparent what (residual) information they contain. This information could be read out by unauthorised third parties. If this involves particularly sensitive information, such as specially protected personal data under Article 9 GDPR or trade secrets, this can result in heavy fines.
Loss of Confidentiality through Residual Information on Storage Media
Most applications and operating systems do not securely and completely irreversibly delete files by default. Only the references to the files are removed from the management information of the file system, and the blocks belonging to the files are marked as free. The actual content of the blocks on the storage media, however, remains intact and can be reconstructed using appropriate tools. This means that the files can still be accessed — for example if the storage media is passed to third parties or improperly disposed of. This could allow confidential information to reach unauthorised parties.
Swap files, swap partitions or hibernation files also sometimes contain confidential data such as passwords or cryptographic keys. However, this data and its contents are often not protected. They can, for example, be read out when the storage media is removed and reinstalled in a different IT system.
In the ongoing operation of many applications, files also accumulate that are not needed for productive operation, such as browser history. These files can also contain security-relevant information. If swap files or temporary files are not securely deleted, sensitive information, passwords and keys can be misused by unauthorised persons to gain access to further IT systems and data, to gain competitive advantages in the market, or to spy on user behaviour.
Inadequate Involvement of External Service Providers in Deletion and Destruction
If storage media are deleted or destroyed by external service providers, the information they contain could be exposed if there are insufficient rules governing how external service providers are involved in the deletion and destruction process.
Attackers can, for example, steal storage media from inadequately secured collection points, or gain access to residual information if service providers do not securely delete or destroy storage media.
Inappropriate Handling of Defective Storage Media or IT Devices
When storage media malfunction, this does not necessarily mean that the data on them is irreversibly damaged. In many cases, the data — or at least parts of it — can be restored using specialist tools. If defective storage media or IT devices are simply disposed of without the data on them having been deleted or destroyed, the data could be exposed during the disposal process.
Data on defective storage media could also be exposed in warranty or guarantee cases or during repair orders. For example, a defective hard disk may be returned to the manufacturer under warranty. The manufacturer identifies a controller defect and replaces the customer’s defective model with a new one. At the same time, the defective controller is replaced with a new one and the originally defective hard disk is only quickly and therefore insecurely deleted before re-entering the market. Throughout this entire process, sensitive information can be exposed, as it is still on the hard disk.
Requirements
The following are the specific requirements of the building block CON.6 Deletion and Destruction. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and reviewed in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These should be filled to the extent that it is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primary responsibility | Information Security Officer (ISO) |
| Additional responsibilities | Employees, Subject Matter Experts, Data Protection Officer, Central Administration, IT Operations |
Exactly one role should bear Primary responsibility. There may also be Additional responsibilities. If one of these additional roles has primary responsibility for fulfilling a specific requirement, that role is listed in square brackets after the heading of the requirement. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be met as a priority for this building block.
CON.6.A1 Regulation for the Deletion and Destruction of Information (B) [Central Administration, Subject Matter Experts, Data Protection Officer, IT Operations]
The institution MUST regulate the deletion and destruction of information. Subject Matter Experts MUST define, for each specialist procedure or business process, which information must be deleted and disposed of under what conditions.
The statutory provisions MUST be observed, which on the one hand
- establish minimum retention periods, and on the other hand
- guarantee maximum retention periods and a right to the secure deletion of personal data.
If personal data is affected, the rules for deletion and destruction relating to personal data MUST be agreed with the Data Protection Officer.
The deletion and destruction of information MUST be regulated for specialist procedures, business processes and IT systems before they are put into productive operation.
CON.6.A2 Proper Deletion and Destruction of Sensitive Resources and Information (B)
Before sensitive information and storage media are disposed of, they MUST be securely deleted or destroyed. For this purpose, the process MUST be clearly regulated. Individual employees MUST be informed of the tasks they must perform for secure deletion and destruction. The process for the deletion and destruction of storage media MUST also cover data backups, where necessary.
The location of destruction facilities on the institution’s premises MUST be clearly regulated. It MUST also be taken into account that information and resources may first be collected and only deleted or destroyed at a later stage. Such a central collection point MUST be secured against unauthorised access.
CON.6.A11 Deletion and Destruction of Storage Media by External Service Providers (B)
If external service providers are commissioned, the process for deletion and destruction MUST be sufficiently secure and traceable. The procedures used by external service providers for secure deletion and destruction MUST at minimum meet the institution’s internal requirements for deletion and destruction procedures.
The companies commissioned with the deletion and destruction SHOULD be regularly checked to ensure that the deletion or destruction process is still being carried out correctly.
CON.6.A12 Minimum Requirements for Deletion and Destruction Procedures (B)
The institution MUST use at minimum the following procedures for the deletion and destruction of sensitive storage media. These procedures SHOULD be reviewed depending on the protection need of the data processed and adjusted if necessary:
- Digital rewritable storage media MUST be completely overwritten with a stream of random values (e.g. PRNG stream) if they are not used in an encrypted state.
- If digital storage media are used in an encrypted state, they MUST be deleted by means of a secure deletion of the key, in compliance with the cryptographic concept.
- Optical storage media MUST be destroyed in accordance with at least security level O-3 as per ISO/IEC 21964-2.
- Smartphones or other smart devices SHOULD be encrypted in accordance with the cryptographic concept. Smartphones or other smart devices MUST be reset to factory settings (factory reset). The setup process SHOULD then be carried out to complete the deletion process.
- IoT devices MUST be reset to factory state. Subsequently, all access credentials stored in the IoT devices MUST be changed.
- Paper MUST be destroyed in accordance with at least security level P-3 as per ISO/IEC 21964-2.
- Storage media integrated in other devices MUST be securely deleted using the integrated functions. If this is not possible, the mass storage must be removed and either securely deleted from a separate IT system like conventional digital storage media, or destroyed in accordance with at least security level E-3 or H-3 as per ISO/IEC 21964-2.
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be met.
CON.6.A3 DISCONTINUED (S)
This requirement has been discontinued.
CON.6.A4 Selection of Appropriate Procedures for the Deletion or Destruction of Storage Media (S)
The institution SHOULD examine whether the minimum requirements for deletion and destruction procedures (see CON.6.A12 Minimum Requirements for Deletion and Destruction Procedures) are sufficiently secure for the storage media actually used and the information contained on them. On the basis of this result, the institution SHOULD determine appropriate deletion and destruction procedures for each type of storage media.
For all types of storage media used that are destroyed or deleted by the institution itself, there SHOULD be appropriate devices and tools with which the responsible employees can delete or destroy the stored information. The selected procedures SHOULD be known to all responsible employees.
The institution SHOULD regularly check whether the chosen procedures still correspond to the state of the art and remain sufficiently secure for the institution.
CON.6.A5 DISCONTINUED (S)
This requirement has been discontinued.
CON.6.A6 DISCONTINUED (S)
This requirement has been discontinued.
CON.6.A7 DISCONTINUED (S)
This requirement has been discontinued.
CON.6.A8 Creation of a Policy for the Deletion and Destruction of Information (S) [Employees, IT Operations, Data Protection Officer]
The institution’s rules for deletion and destruction SHOULD be documented in a policy. The policy SHOULD be known to all relevant employees of the institution and form the basis for their work and conduct. In terms of content, the policy SHOULD cover all storage media, applications, IT systems and other resources and information affected by deletion and destruction. It SHOULD be regularly and randomly checked whether employees are complying with the policy. The policy SHOULD be regularly updated.
CON.6.A9 DISCONTINUED (S)
This requirement has been discontinued.
CON.6.A13 Destruction of Defective Digital Storage Media (S)
If digital storage media containing sensitive information cannot be securely deleted in accordance with the storage media deletion procedures due to a defect, they SHOULD be destroyed in accordance with at least security level 3 as per ISO/IEC 21964-2.
Alternatively, where defective storage media are to be exchanged or repaired, it SHOULD be contractually agreed with the service providers commissioned that these storage media are securely destroyed or deleted by the service providers. The service providers’ procedures SHOULD meet at minimum the institution’s internal requirements for deletion and destruction procedures.
Requirements for High Protection Needs
The following are examples of proposed requirements for this building block that go beyond the level of protection corresponding to the state of the art. These proposals SHOULD be considered for high protection needs. The specific determination is made within the framework of an individual risk analysis.
CON.6.A10 DISCONTINUED (H)
This requirement has been discontinued.
CON.6.A14 Destruction of Storage Media at Elevated Security Level (H)
The institution SHOULD determine the required security level for the destruction of storage media in accordance with ISO/IEC 21964-1, based on the protection need of the storage media to be destroyed. The storage media SHOULD be destroyed in accordance with the assigned security level as per ISO/IEC 21964-2.
Additional Information
Good to Know
The International Organization for Standardization (ISO) provides specifications for the handling of media and information — which also encompass deletion and destruction — in the standard ISO/IEC 27001:2013 in Annex A “A.8.3 Media handling”.
The International Organisation for Standardization (ISO) has published documents on the destruction of storage media with the ISO/IEC 21964 standard series “Information technology - Destruction of data carriers”, which builds upon the DIN standard series DIN 66399 “Office and data technology - Destruction of data media”:
- Part 1: Principles and definitions
- Part 2: Requirements for equipment for destruction of data carriers
- Part 3: Process of destruction of data carriers
The National Institute of Standards and Technology provides guidelines for deletion and destruction in NIST Special Publication 800-88 “Guidelines for Media Sanitization”.