Data Destruction Procedure
Data Destruction Procedure
DESTRUCTION
PROCEDURE
1
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Document Information
Version Control
Owner Version Edited By Date Change History
User 1 Assent DD/01/2016 First Draft
Distribution
Held Format Location Comments
By
User Digital / Physical
Status
X Status Approved By Date
X Draft DD/MM/YYYY
Final Draft
Published
Withdrawn
Classification
Confidential
X Restricted
Unclassified
Relevance to Standard
License
2
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Contents
Document Information_____________________________________________________________________________2
Contents_______________________________________________________________________________________________3
Data Destruction Procedure Content____________________________________________________________4
1.0 Types of Data & Reasons to Securely Destroy___________________________________________4
2.0 Audit Trail_____________________________________________________________________________________4
3.0 Digital Data Destruction____________________________________________________________________4
3.1 Physical Storage of Media_____________________________________________________________________________5
3.2 In-House Data Destruction___________________________________________________________________________5
3.3 External Data Destruction____________________________________________________________________________5
3.4 Reuse of Equipment___________________________________________________________________________________5
3
© Distributed by Resilify.io under a Creative Commons Share Alike License.
Data Destruction Procedure Content
The company takes the confidentiality of its data very seriously, and it’s important for
legal, contractual, and reputational reasons that data is destroyed securely when no
longer required.
Digital Physical
Emails & Attachments Customer Related Paperwork
USB Memory Government Correspondence
Laptop & PC Hard Drives Note paper / post-Its
Mobile Phones Statements & Financial Information
See the company’s record list.
The company will take appropriate steps to destroy data according to its
Classification. See ISMS01, Information Classification and Handling.
It’s important to maintain traceability of data assets and keep appropriate records of
their whereabouts and destruction status.
The asset inventory will be updated when assets are stored in the IT office or
removed from site.
When assets are removed from site, a transfer note containing the asset id and/or
serial number of each asset collected will be maintained.
Where paper records are removed from site, the number of sacks and date of
collection will be recorded on the transfer note.
NOTE: Please remember that data can still be recovered from a drive after you
have deleted it using the operating system (Windows or OSX).
4
© Distributed by Resilify.io under a Creative Commons Share Alike License.
3.1 Physical Storage of Media
Media from Servers, SANs, NAS or other devices that are likely to
contain data classified as ‘confidential’ will additionally be sent to an
approved external party for destruction. See 3.3 below.
An approved supplier will be used for data destruction and will provide
either of the following:
When equipment is to be reused within the business, all data and user
profiles will be removed prior to re-issue.
The IT department will take all further actions they consider necessary to
reduce the risk of users gaining unauthorised access to information that
may have previously been on the machine.
5
© Distributed by Resilify.io under a Creative Commons Share Alike License.
It is company policy NOT to allow equipment to be re-used outside the
business.
The shredder will be emptied nightly into the recycling waste stream.
Sacks collected from the secure bins will be securely tied with a unique
reference number for each sack.
7
© Distributed by Resilify.io under a Creative Commons Share Alike License.