A.8.10 Information Deletion would include:
-
Deletion Policy: Documentation of a formal information deletion policy that outlines the organization's approach to securely and permanently deleting data when it is no longer needed.
-
Data Retention Schedule: A schedule or plan indicating the retention periods for different types of data and when data should be deleted after it has met its retention requirements.
-
Deletion Procedures: Detailed procedures and guidelines on how data deletion is carried out, ensuring that data is securely erased from storage media and systems.
-
Data Deletion Tools and Technologies: Documentation of the data deletion tools and technologies used by the organization to implement secure data erasure, including information about their configuration and integration with relevant systems.
-
Data Deletion Implementation: Evidence of the successful implementation of data deletion techniques on databases, file systems, and other storage media, including logs or records of data deletion activities.
-
Verification of Deletion: Processes or mechanisms in place to verify that data has been securely and permanently deleted and cannot be recovered.
-
Compliance Documentation: Evidence of compliance with data protection regulations and legal requirements related to data deletion and data privacy.
-
Access Controls: Evidence of access controls and permissions granted to users who have the authority to delete data, ensuring that only authorized individuals can perform data deletion activities.
-
Training and Awareness: Evidence of training and awareness programs for employees involved in data deletion processes, ensuring they understand the importance of securely deleting data and the potential risks of improper data disposal.
-
Data Deletion Audit Logs: Logs or records of data deletion activities, changes, and access, as well as any incidents or anomalies related to data deletion.
These pieces of evidence to assess the adequacy and effectiveness of the organization's data deletion controls, ensuring that data is securely and permanently erased when no longer needed and that the data deletion processes comply with relevant regulations and standards.
