S 2.13 Correct disposal of resources requiring protection

Initiation responsibility: Agency/company management; Head of IT Section; IT Security Management

Implementation responsibility: Head of Site/Bldg Technical Service; staff members

Resources (non-monetary resources) on which sensitive data are stored (printing paper, floppy disks, streamer tapes, magnetic tapes, hard disks, but also special toner cassettes, carbon paper or carbon ribbon) and which are no longer needed or, on account of a defect, are to be discarded, must be disposed of in such a way that no conclusions can be drawn as regards previously stored data. In the case of functioning data media, the data should be physically deleted. Non-functioning data media such as CD-ROMS should be destroyed mechanically (see S 2.167 Secure deletion of data carriers).

The recommended disposal of material requiring protection should be detailed in a specific directive; adequate disposal facilities are to be provided (see also DIN 32757).

If sensitive resources are collected prior to their disposal, the collected material must be kept under lock and be protected against unauthorised access.

If, within the given company/agency, safe and environmentally-sound disposal cannot be ensured, the companies entrusted with this task must be put under obligation to comply with the required IT security measures. A sample contract is enclosed with this manual.

Additional controls:

• Are all types of material requiring protection covered by the aforementioned provisions?

• Is the disposal procedure reliable?

• Are the specified disposal provisions complied with?