by Tim Marley

Over the last few weeks, we have been building the foundation of a responsible data management program.

In CIS Control 3.1, we talked about establishing a data management program and why organizations need a structured approach to governing their information.

In CIS Control 3.2, we focused on the data inventory, identifying what data exists, where it lives, and how it moves through the organization.

In CIS Control 3.3, we discussed access permissions and the importance of limiting who can see or modify sensitive data.

In CIS Control 3.4, we addressed data retention: how long organizations should keep different categories of information.

That naturally leads to the next question. What happens when it is time for that data to go away? CIS Safeguard 3.5 – Securely Dispose of Data addresses exactly that question. Once data has reached the end of its retention period, organizations must ensure it is removed in a way that prevents it from being recovered or accessed again.

At first glance, that might sound simple. Delete the file and move on. In practice, it is rarely that straightforward.

Deleting a File Is Not the Same as Removing Data

Most people assume that pressing the delete key removes a file from a computer. In reality, that action typically only removes the reference to the file, not the data itself.

Traditional file systems such as FAT (File Allocation Table) or NTFS (New Technology File System) do not immediately erase the underlying data when a file is deleted. Instead, the operating system removes the pointer that tells the system where the file is located. The actual data remains on the disk until that space is overwritten by something else. That means the file may still be recoverable using forensic tools.

Because of this, organizations historically relied on secure wiping standards. One well-known approach came from the U.S. Department of Defense, which recommended repeatedly overwriting storage media with patterns of ones and zeros to ensure that the original data could not be reconstructed. In some cases, organizations went even further by physically destroying the storage device itself through shredding, degaussing, or other destruction methods.

Technology has evolved since then. Solid-state drives, cloud storage, and virtualized environments introduce additional complexity. Data may not reside on a single physical disk under your control. It may exist in distributed storage systems managed by a service provider.

But the core principle remains the same: when data reaches the end of its lifecycle, it must be removed in a way that prevents recovery.

Data Exists in More Places Than You Think

Secure disposal applies wherever data may exist in your environment. That includes obvious locations such as:

• Employee laptops and workstations
• On-premise servers and storage arrays
• Network-attached storage (NAS) systems and storage area networks (SANs)

It also includes places organizations sometimes overlook. Many modern copiers and printers contain internal hard drives that store scanned documents and print jobs. When those devices are replaced or returned at the end of a lease, the data stored on those drives may still exist unless it is securely erased.

Similarly, organizations routinely retire equipment as part of a normal hardware lifecycle. Laptops, servers, and storage devices may be replaced every three to five years. Before those systems are sold, recycled, or repurposed, any data stored on them must be securely removed.

The same responsibility applies even when the equipment is leased or managed by a third party. If a service provider handles device maintenance or disposal, the organization must still ensure that appropriate data destruction procedures are followed. In other words, outsourcing the task does not transfer the risk.

Third Parties and Chain of Custody

Early in my career I was running DBAN on every drive we decommissioned. I knew exactly what happened to that data. Most organizations I work with now have vendors managing the full asset lifecycle. And that works, until you ask for a certificate of destruction and nobody can find one.

Many organizations rely on third-party vendors for services such as hardware recycling, document shredding, or media destruction. Those services can be valuable, but they also introduce what is often called chain-of-custody risk.

Once a device or storage medium leaves your direct control, you are trusting someone else to handle it properly. If the data is not destroyed as promised, the exposure still belongs to the organization that owned the data in the first place.

That is why many organizations require vendors to provide certificates of destruction or similar documentation verifying that storage media was securely wiped or destroyed according to accepted standards.

The key point is simple: even when someone else performs the destruction, the responsibility for protecting that data remains with you.

Backups Create Another Disposal Challenge

Secure disposal also intersects with backup systems. Organizations routinely back up critical systems to protect against data loss, ransomware, or operational disruptions. Those backups often contain the same sensitive information found in the original systems: personal information, intellectual property, financial records, and other regulated data.

If data is deleted from the primary system but continues to exist indefinitely in backup archives, the organization may still be responsible for protecting it. That is why retention policies and backup strategies must work together. Backups exist for recovery, not long-term data preservation. Organizations need to understand how long backup copies are retained and ensure that sensitive data does not remain accessible long after it should have been removed.

Guidance for Secure Disposal

Organizations that want more detailed technical guidance can refer to NIST Special Publication 800-88, which provides recommendations for media sanitization. This publication outlines accepted methods for securely removing data from storage media, including logical wiping, cryptographic erase, and physical destruction.

The goal of this control is not to require every organization to become an expert in storage technology. Rather, it is to ensure that when data reaches the end of its retention period, there is a deliberate and reliable process for removing it.

Completing the Lifecycle

In the previous article, we discussed retention and asked a simple question. How long should data be kept? This safeguard addresses the next step.

When that time expires, organizations must have a defined process for securely removing that data from their environment. Doing so reduces the amount of sensitive information that could be exposed in a breach and helps ensure that data does not persist long after it has served its purpose. Retention defines when data should be removed. Secure disposal ensures that when it is removed, it is truly gone.