SOC 2 Academy: Disposing of Physical Devices
Common Criteria 6.5
When a service organization pursues SOC 2 compliance, auditors will verify whether they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 6.5 says, “The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives.” Let’s take a look at why disposing of physical devices is important.
Why is Disposing of Physical Devices Important to SOC 2 Compliance?
Common criteria 6.5 goes hand in hand with common criteria 6.1, which is about how to perform an inventory of assets. In order to perform an effective inventory, organizations must dispose of physical devices that are no longer in use or needed to help the entity meet their business objectives. Why? Because in order to properly manage the physical devices that an organization holds, they need to have an accurate inventory of which physical devices are currently in use. For example, let’s say that an organization has upgraded all of its employees’ laptops. What processes are in place to securely get rid of the old laptops? How will data and company information on those devices be wiped? Who will be wiping them? A third party or an IT administrator?
During the SOC 2 compliance journey, an auditor will want to validate that such processes are in place for securely disposing of physical devices and removing any sensitive data from physical devices that are no longer in use. Specifically, auditors will be using the following two points of focus to verify compliance with common criteria 6.5:
- Does the entity have procedures in place to identify data and software that needs to be disposed of?
- Does the entity have procedures in place to remove data and software from the physical control of the entity and render that data unreadable?
More SOC 2 Resources
SOC 2 common criteria 6.5 is really about the physical disposal of assets that you no longer need to keep. Let’s say that you upgraded your equipment, or you have damaged equipment and it’s just sitting around and piling up. Should you just throw it in the recycling bin? Do you take it to the dumpster? Do you take a shotgun and blow it up? What method are you using to dispose of that asset? You have to have a proper method of disposal so that you can be certain that you don’t have to protect that data any longer. You don’t just want to sell it on eBay or give it to an employee to throw away or take home to their kids. You want to be assured that even if a system is going to be functional when it leaves the building, that all of your sensitive data has been wiped off of it. There are tools that you can acquire if you simply just want to wipe off a hard drive if you want to sell it or give it to someone as a donation or to an employee. There are tools you can use that will apply Department of Defense methods to make sure that it’s a secure wiping method. You might also opt to just make sure that the asset is physically destroyed and would be unreadable that way. There are many third parties that will come to your location with a large shredding device on their truck that will destroy hard drives and other types of computer media. So, keep this in mind before you let something walk out of the door, and make sure that you’re properly disposing of the data you’re protecting.