183 – Delete sensitive data securely

Summary

The system must support the secure removal of sensitive data, guaranteeing that it cannot be recovered.

Description

Systems often store and delete sensitive information protected by government regulations. These regulations usually demand that data be removed after it is no longer required and that its deletion follow secure procedures that prevent it from being recovered.

Supported In

Essential: True

Advanced: True

References

• CWE-212. Improper removal of sensitive information before storage or transfer
• CWE-226. Sensitive information in resource not removed before reuse
• CWE-459. Incomplete cleanup
• EPRIVACY-4_1a. Security of processing
• EPRIVACY-6_1. Traffic data
• GDPR-5_1e. Principles relating to processing of personal data
• NERCCIP-011-2_R2_1. BES cyber asset reuse and disposal
• OWASP10-A2. Cryptographic failures
• SOC2-C1_2. Additional criteria for confidentiality
• SOC2-P4_3. Additional criteria for privacy (related to use, retention, and disposal)
• CCPA-1798_105. Consumer's right to delete personal information
• CERTJ-FIO14-J. Perform proper cleanup at program termination
• NYSHIELD-5575_B_6. Personal and private information
• NYDFS-500_13. Limitations on data retention
• PADSS-1_1_4. Securely delete any track data, card verification values or codes, and PINs or PIN block data stored by application in accordance with industry-accepted standards
• PADSS-2_1. Provide guidance to customers regarding secure deletion of cardholder data
• PDPO-5_26. Erasure of personal data no longer required
• PDPO-S1_4. Security of personal data
• CMMC-MA_L2-3_7_3. Equipment sanitization
• CMMC-MP_L1-3_8_3. Media disposal
• HITRUST-09_p. Disposal of media
• HITRUST-13_l. Retention and disposal
• ISO27002-7_14. Secure disposal or re-use of equipment
• ISO27002-8_10. Information deletion
• LGPD-16. Termination of Data Processing
• LGPD-60. Final and Transitional Provisions
• FERPA-D_35_b_2. Conditions of prior consent required to disclose information
• OWASPSCP-8. Data protection
• NIST800115-7_4_4. Data destruction
• C2M2-1_1_h. Manage IT and OT asset inventory
• PCI-3_2_1. Retain account data only where necessary and deleted when no longer needed
• PCI-9_4_7. Media is secured and tracked when transported
• SIG-I_1_19_2. Application security
• SIG-P_1_3_1. Privacy
• PDPA-6_25. Retention of personal data
• ISO27001-7_14. Secure disposal or re-use of equipment
• ISO27001-8_10. Information deletion
• RESOLSB-Art_26_11_c. Information Security

Weaknesses

• 082 – Insecurely deleted files

Last updated

2023/09/18