Control 8.10 : Information Deletion

Summary

Information stored in information systems, devices, or any other storage media should be deleted when no longer required. This minimizes the risk of data leakage and ensures compliance with privacy regulations like Law 25.

Applicability

In-Scope: Mandatory for reducing the organization's data footprint and meeting legal requirements for data destruction once the retention period has ended.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Retention Policies: Use Microsoft Purview Data Lifecycle Management to configure policies that automatically delete data (emails, documents, chats) after a specific period.

• Manual Deletion: Educate users on the secure deletion of files and ensure that emptying the trash or permanently deleting items is part of standard data handling procedures.

• Disposition Review: Implement a disposition review process in Microsoft Purview to ensure that a human reviewer approves the deletion of sensitive records before they are purged.

Evidence Checklist

• Data Deletion Policy: Rules defining when and how information should be securely deleted.

• Retention Schedules: A document mapping different types of data to their respective deletion timelines.

• Disposition Logs: Records from Microsoft Purview showing that data was successfully deleted in accordance with the established policies.

Practical Audit Advice

Here are some questions the auditor might ask:

• How do you ensure that data is irretrievably deleted rather than just hidden or moved to a recycle bin?

• What process is in place to ensure that shadow IT or local copies of files are included in the deletion process?

• Can you demonstrate how the organization identifies and deletes data associated with a specific project or client once the contract ends?

• How do you handle deletion requests from individuals to ensure all instances of their data are removed?