da-4 Medium priority Data Security / Data Security

Sensitive data is securely disposed of when no longer needed

Data that is no longer needed is a liability, not an asset. Breaches and legal discovery can expose sensitive data that should have been deleted years ago. Retaining data indefinitely also increases storage costs and regulatory risk. Secure disposal means more than just deleting files: drives must be wiped or destroyed, cloud storage must be permanently deleted, and backups containing old data must be purged according to a defined retention schedule.

2h estimated effort

data-disposal secure-deletion data-retention media-sanitization

Complete first: da-1

Implementation steps

1

Define and document data retention policies

For each data classification tier, define how long data is kept and what triggers disposal. Align retention periods with legal requirements, such as HIPAA or state privacy laws, and with business need. Document the policy formally and get it approved by legal or compliance. Publish it so employees know what to keep and what to delete.

confluence notion google-docs drata vanta
2

Implement automated retention and deletion in systems

Configure retention policies in cloud storage, SaaS tools, and databases so data is deleted automatically when its retention period expires. Use S3 Lifecycle rules, Google Vault retention policies, or similar. For databases, schedule purge jobs for records past their retention window. Do not rely on manual deletion.

aws-s3 google-vault azure-blob-storage bigquery postgresql
3

Securely wipe or destroy physical and decommissioned storage

When retiring laptops, servers, or drives, use certified wiping software or arrange for physical destruction. Obtain a certificate of destruction from the vendor. For cloud environments, confirm data deletion by destroying encryption keys (cryptographic erasure) and deleting storage volumes. Document all disposals.

blancco dban aws-kms azure-key-vault nist-800-88