Information assets are sanitised or destroyed at end of life using techniques appropriate to their cybersecurity requirements
Context and Guidance: In this practice, sanitisation refers to the removal of sensitive data from an asset in preparation for its reuse. For example, sanitisation might involve removing customer-specific information from a slide presentation so that it can be used again. This should be completed in a manner that prevents the disclosure of information to unauthorised individuals when assets are reused. By contrast, destruction refers to data removal so that it cannot be recovered. This involves permanent removal (that is, deletion in a way that makes recovery impossible, such as cryptographic erase, de-identification of personally identifiable information (PII), and destruction) from IT assets and OT assets when it is no longer needed. The organisation must determine which end-of-life actions are appropriate for information assets and create procedures to ensure compliance with retention guidelines that establish when information assets should be retired. . Procedures should include all possible locations where copies of the information might be stored, including system logs.