The system must support the secure removal of sensitive data, guaranteeing that it cannot be recovered.
Systems often store and delete sensitive information protected by government regulations. These regulations usually demand that data be removed after it is no longer required and that its deletion follow secure procedures that prevent it from being recovered.
CWE-226: Sensitive Information Uncleared in Resource Before Release for Reuse. The product prepares to release a resource such as memory or a file so that the resource can be reused by other entities, but the product does not fully clear previously-used sensitive information from that resource before the resource is released.
CWE-459: Incomplete Cleanup. The software does not properly "clean up" and remove temporary or supporting resources after they have been used.
Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure.
Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 6: Traffic data.(1) Traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication.
GDPR. Art. 5: Principles relating to processing of personal data.(1)(e). Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
ISO 27001:2013. Annex A - 18.1.3 Protect records against loss, destruction, forgery, unauthorized access and unauthorized release, in accordance with legal, regulatory, contractual and business requirements.
NERC CIP-011-2. B. Requirements and measures. R2.1 Prior to the release for reuse of applicable Cyber Assets that contain BES Cyber System Information, the Responsible Entity shall take action to prevent the unauthorized retrieval of BES Cyber System Information from the Cyber Assetdata storage media.
OWASP Top 10 A3:2017-Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.25) Verify that the device wipes firmware and sensitive data upon detection of tampering or receipt of invalid message.
OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.31) Verify that sensitive information maintained in memory is overwritten with zeros as soon as it is no longer required.
OWASP-ASVS v4.0.1 V8.1 General Data Protection.(8.1.2) Verify that all cached or temporary copies of sensitive data stored on the server are protected from unauthorized access or purged/invalidated after the authorized user accesses the sensitive data.
OWASP-ASVS v4.0.1 V8.2 Client-side Data Protection.(8.2.3) Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated.
OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.6) Verify that sensitive information contained in memory is overwritten as soon as it is no longer required to mitigate memory dumping attacks, using zeros or random data.
OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.8) Verify that sensitive personal information is subject to data retention classification, such that old or out of date data is deleted automatically, on a schedule, or as the situation requires.
PCI DSS v3.2.1 - Requirement 3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes for secure deletion of data when no longer needed.
PCI DSS v3.2.1 - Requirement 9.8.2 Destroy media when it is no longer needed for business or legal reasons. Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.