Skip to contentCYBERINFO
|

Control 7.14 : Secure Disposal or Re-Use of Equipment

Summary

Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software have been removed or securely overwritten prior to disposal or re-use.

Applicability

In-Scope: Mandatory for preventing data breaches caused by retired hardware. It ensures that sensitive information is not exposed when laptops, drives, or multifunctional devices leave the organization's control.

Out-of-Scope: Never out-of-scope for any organization that utilizes physical storage media.

Implementation Guidance

Microsoft 365 / Entra ID

  • Remote Wipe: Utilize Microsoft Intune to trigger a factory reset or full wipe command on any managed device before it is collected for disposal or reassigned to a new user.

  • Encryption Advantage: By enforcing BitLocker via Intune, data remains unreadable even if a drive is physically discarded, provided the recovery key is rotated or deleted upon disposal.

  • Data Destruction: Engage a certified third-party vendor for the physical destruction (shredding) of drives that have reached the end of their functional lifecycle.

Evidence Checklist

  • Disposal Policy: Documented procedures for the secure wiping and physical destruction of all storage media types.

  • Certificates of Destruction: Formal documents from a certified vendor proving that specific, serialized hardware was physically destroyed.

  • Wipe Logs: Reports from Microsoft Intune or specialized wiping software showing that a secure wipe was successfully completed on a device.

Practical Audit Advice

Here are some questions the auditor might ask:

  • What technical standard do you use for secure wiping (e.g., NIST 800-88) to ensure data cannot be recovered using forensic tools?

  • How do you ensure that multifunctional devices, such as printers and photocopiers, have their internal storage wiped before being returned to a leasing company?

  • Can you provide a Certificate of Destruction for the most recent batch of retired laptops or hard drives?

  • Who is responsible for verifying that a device has been fully sanitized before it is permitted to leave the premises for disposal or recycling?