Delete sensitive data securely
Summary
The system must support the secure removal of sensitive data, guaranteeing that it cannot be recovered.
Description
Systems often store and delete sensitive information protected by government regulations. These regulations usually demand that data be removed after it is no longer required and that its deletion follow secure procedures that prevent it from being recovered.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CWE™-212. Improper removal of sensitive information before storage or transfer
- CWE™-226. Sensitive information in resource not removed before reuse
- CWE™-459. Incomplete cleanup
- ePrivacy Directive-4_1a. Security of processing
- ePrivacy Directive-6_1. Traffic data
- GDPR-5_1e. Principles relating to processing of personal data
- NERC CIP-011-2_R2_1. BES cyber asset reuse and disposal
- OWASP TOP 10-A2. Cryptographic failures
- SOC2®-C1_2. Additional criteria for confidentiality
- SOC2®-P4_3. Additional criteria for privacy (related to use, retention, and disposal)
- NIST Framework-PR_IP-6. Data is destroyed according to policy
- CCPA-1798_105. Consumer's right to delete personal information
- CERT-J-FIO14-J. Perform proper cleanup at program termination
- NY SHIELD Act-5575_B_6. Personal and private information
- NYDFS-500_13. Limitations on data retention
- PA-DSS-1_1_4. Securely delete any track data, card verification values or codes, and PINs or PIN block data stored by application in accordance with industry-accepted standards
- PA-DSS-2_1. Provide guidance to customers regarding secure deletion of cardholder data
- PDPO-5_26. Erasure of personal data no longer required
- PDPO-S1_4. Security of personal data
- CMMC-MA_L2-3_7_3. Equipment sanitization
- CMMC-MP_L1-3_8_3. Media disposal
- HITRUST CSF-09_p. Disposal of media
- HITRUST CSF-13_l. Retention and disposal
- ISO/IEC 27002-7_14. Secure disposal or re-use of equipment
- ISO/IEC 27002-8_10. Information deletion
- LGPD-16. Termination of Data Processing
- LGPD-60. Final and Transitional Provisions
- FERPA-D_35_b_2. Conditions of prior consent required to disclose information
- OWASP SCP-8. Data protection
- NIST 800-115-7_4_4. Data destruction
- C2M2-1_1_h. Manage IT and OT asset inventory
- PCI DSS-3_2_1. Retain account data only where necessary and deleted when no longer needed
- PCI DSS-9_4_7. Media is secured and tracked when transported
- SIG Core-I_1_19_2. Application security
- SIG Core-P_1_3_1. Privacy
- PDPA-6_25. Retention of personal data
- ISO/IEC 27001-7_14. Secure disposal or re-use of equipment
- ISO/IEC 27001-8_10. Information deletion
- Resolution SB 2021 2126-Art_26_11_c. Information Security
Vulnerabilities
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.