ISMS Disposal Policy

1. Purpose, Scope and User

The purpose of this document is to ensure that information stored on devices and data carriers is securely destroyed or deleted. It defines the deletion of unused data.

Users of this document are all employees of VSHN AG.

2. Disposal, destruction and reuse of equipment and data carriers

All data on portable storage media (for example on CD, DVD, USB stick, memory cards, etc., but also on paper) and all devices containing storage media (for example computers, cell phones, etc.) must be deleted or the data carrier must be destroyed before the device is disposed of or reused.

2.1. Storage Devices

The CISO is responsible for checking and deleting data contained in devices, unless the information classification policy stipulates otherwise.

In general storage devices with personal, VSHN, or customer data must be full disk encrypted. Exceptions are storage devices like USB sticks used for sending tenders.

Hard disks

  • To be deleted with shred.

  • Physically destroy the drive if shred is not possible.

Flash drives and SSD

  • If supported erase them with hdparm --security-erease.

  • If drive was encrypted remove the encryption keys.

  • If the drive was not encrypted destroy it physically.

Computers

  • For MacBooks the diskutil secure erase is allowed.

2.2. Paper

Paper with personal, VSHN, or customer data must be shredded with the paper shredder in the printer room. As a rule of thumb, it is better to shred once more than once less.

2.3. Tracking / Documentation

Deletion of devices must be tracked in tickets. Documentation required includes information about the storage medium, the date of deletion/destruction, the method of deletion/destruction and the person carrying out the process.

Deletion of classified data must be done with and documented in a ticket.

3. Information deletion

Sensitive data must be deleted regularly. Sensitive data includes among other:

  • Information classified as sensitive according to the Classification Policy.

  • HR and recruiting data.

  • Communication data from former employees (for example chat history and mail folder) after one year.

  • Customer data of former customers.

The CISO checks annually that no longer used data is deleted.

4. Reference Documents

ISO 27001:2022 ISO 27001:2013 Control

A.7.10

A.8.3.2

Storage media

A.7.14

A.11.2.7

Secure disposal or re-use of equipment

A.8.10

New

Information deletion

5. Annex

Related repeating tickets:

  • ISMS-1470 — Yearly Deletion of Old Mail Boxes on mail1.vshn.net

  • ISMS-1373 — Yearly Rocket Chat Clean Up

  • ISMS-1345 — Regular Spot Check Recruitee Access Rights

This policy is tracked and approved by the CISO with ticket ISMS-1569