Data Destruction Policy
Purpose
The purpose of this policy it to define the guidelines for the disposal of technology equipment and components owned by Ambassify.
Policy
All customer data should be disposed of when it is no longer necessary for business use, provided that the disposal does not conflict with our data retention policies, our customers data retention policies, a court order, or any of our regulatory obligations.
- All employees, clients, vendors and contractors are instructed to not use the following media to store confidential information.
- paper-based media
- USB Drives or External Backup programs
- CD ROM drives.
- All cloud based storage media being decommissioned should be sanitized when it is no longer necessary, provided that there is a backup of customer data on production systems to comply with our customers data retention and contractual obligations.
- Laptop based storage media may not be donated or sold. All laptop based storage media should be sanitized prior to transfer of ownership to a co-worker or prior to destruction.
Scope
The following table displays the forms of storage media currently in use.
Media Type | Location | Data Storage Mechanism | Removal Methods |
---|---|---|---|
Solid State Drives | Laptop | Solid state | Clearing, Destruction |
Amazon S3 | Cloud | Non-volatile magnetic | (DoD) 5220.22-M |
Amazon EBS | Cloud | Solid state | (DoD) 5220.22-M |
Goolge Drive | Cloud | Solid state | (DoD) 5220.22-M |
Media Destruction Techniques
Storage Media, which is being decommissioned, will be passed to a specialist contractor for secure disposal.
A) Solid-State Devices
Solid-state devices normally require the complete physical destruction of the device to ensure that any recovery of data is impossible. Incineration will melt SD cards. Devices such as USB thumb drives should be physically destroyed using brute force methods. As long as appropriate safety methods are in use, non-specialist staff can destroy these devices.
B) Cloud Based Devices
“When AWS determines that media has reached the end of its useful life, or it experiences a hardware fault, AWS follows the techniques detailed in Department of Defense (DoD) 5220.22-M (“National Industrial Security Program Operating Manual”) or NIST SP 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process.” Google uses kind of the same procedures for their clould based storage devices.
Data Removal and Destruction Management
Once a specialist company or contractor has processed the media, there should be a procedure for verification of data removal. It is important to maintain an effective method of managing the process of data destruction. This ensures that all media requiring cleaning or destruction is correctly organized and properly audited. Tracking of hard disk serial numbers should be used a bare minimum for individual component tracking.