Data is destroyed or securely removed from IT and OT assets prior to redeployment and at end of life
Context and Guidance: Data is permanently removed (that is, deleted in a way that makes data recovery impossible) from IT assets (computers, scanners, copiers, printers, etc.) and OT assets before they are reused or released for disposal. Selection of data removal and destruction techniques should be commensurate with the organisation’s cybersecurity requirements. Data removal techniques, including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction, prevent the disclosure of information to unauthorised individuals when such media is reused. Destruction of data might also be achieved through destruction of the media on which it is stored (such as physical destruction of a hard drive). Assets such as mobile devices that are more likely to change location or ownership may require additional activities to ensure data is not accessed by unauthorised individuals. This may include full disk encryption of laptops or remote data removal for mobile devices. Additionally, consider assets that may be out of the direct control of the organisation for maintenance, dormant virtual machines, virtual machine backups, and virtual machine snapshots, which may include sensitive data and should be destroyed when no longer needed.