Delete sensitive data securely
Summary
The system must support the secure removal of sensitive data, guaranteeing that it cannot be recovered.
Description
Systems often store and delete sensitive information protected by government regulations. These regulations usually demand that data be removed after it is no longer required and that its deletion follow secure procedures that prevent it from being recovered.
References
- CWE-212. Improper removal of sensitive information before storage or transfer
- CWE-226. Sensitive information in resource not removed before reuse
- CWE-459. Incomplete cleanup
- EPRIVACY-4_1a. Security of processing
- EPRIVACY-6_1. Traffic data
- GDPR-5_1e. Principles relating to processing of personal data
- NERCCIP-011-2_R2_1. BES cyber asset reuse and disposal
- OWASP10-A2. Cryptographic failures
- SOC2-C1_2. Additional criteria for confidentiality
- SOC2-P4_3. Additional criteria for privacy (related to use, retention, and disposal)
- CCPA-1798_105. Consumer's right to delete personal information
- CERTJ-FIO14-J. Perform proper cleanup at program termination
- NYSHIELD-5575_B_6. Personal and private information
- NYDFS-500_13. Limitations on data retention
- PADSS-1_1_4. Securely delete any track data, card verification values or codes, and PINs or PIN block data stored by application in accordance with industry-accepted standards
- PADSS-2_1. Provide guidance to customers regarding secure deletion of cardholder data
- PDPO-5_26. Erasure of personal data no longer required
- PDPO-S1_4. Security of personal data
- CMMC-MA_L2-3_7_3. Equipment sanitization
- CMMC-MP_L1-3_8_3. Media disposal
- HITRUST-09_p. Disposal of media
- HITRUST-13_l. Retention and disposal
- ISO27002-7_14. Secure disposal or re-use of equipment
- ISO27002-8_10. Information deletion
- LGPD-16. Termination of Data Processing
- LGPD-60. Final and Transitional Provisions
- FERPA-D_35_b_2. Conditions of prior consent required to disclose information
- OWASPSCP-8. Data protection
- NIST800115-7_4_4. Data destruction
- C2M2-1_1_h. Manage IT and OT asset inventory
- PCI-3_2_1. Retain account data only where necessary and deleted when no longer needed
- PCI-9_4_7. Media is secured and tracked when transported
- SIG-I_1_19_2. Application security
- SIG-P_1_3_1. Privacy
- PDPA-6_25. Retention of personal data
- ISO27001-7_14. Secure disposal or re-use of equipment
- ISO27001-8_10. Information deletion
- RESOLSB-Art_26_11_c. Information Security
Weaknesses
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan