The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

Safeguard 3.5 is how you securely dispose of data which should be outlined in your data management process. You have to ensure the disposal process and method are commensurate with the datasensitivity.

Formatting of a harddrive leaves data on it, so a simple drive format should not be considered an appropriate method of disposing of data.

CIS Controls is for business not personal use so your example isn't effective, but it is because we forget or think it's low risk. There are storable data drives in your computers, servers, network equipment, printers, and if you push it old fax machines where the film roll would actually store an image of every fax received. How do you address all of these devices as the data stored there is an assortment of everything printed from confidential data to that random email.

Here the key is your data management process and policy. Having it outlined what devices have drives that you are concerned with and how you go about disposing of the data, the drive, or the equipment if the flash drive is embedded. It should include how long you retain data, where the data lives, who owns the data, and when it's time to decommission a device how the data that lives on the device is disposed of. So it's both the live data, legacy data, and the devices that store it.

In my past I have taken drives out to a gun range and also have had drives destroyed with a certificate of destruction by a shredding company. They maintain the chain of custody and proof of destruction is typically what an auditor likes to see, but the gun range will ensure no data is recoverable as well. You can also use DiskWiping or DataDump (the process of writing every bit of data with a 0 or 1 and then formatting it). The government standard (DoD 5220.22-M) calls for a Data Wipe to run the same process at minimum 3 times. The government considers this as a Medium Security wipe. I see more companies using a Hard Drive Degausser which will completely sanitize, wipe, and erase hard drives.

No matter what process you use document it and maintain an inventory of destroyed hard drives including serial number, date of destruction, and the certificate.

Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-datasensitivity-activity-7076594085129506816-S-zd?utm_source=share&utm_medium=member_desktop