REQ.183 Delete sensitive data securely
The system must support the secure removal of sensitive data when they are no longer required, so that they can not be recovered.
Systems often store and delete sensitive information protected by government regulations. These regulations usually demand that data be removed after it is no longer required and that its deletion follow secure procedures that prevent it from being recovered.
GDPR. Art. 5: Principles relating to processing of personal data.(1)(e). Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
OWASP-ASVS v3.1-9.6 Verify that there is a method to remove each type of sensitive data from the application at the end of the required retention policy.
OWASP-ASVS v3.1-9.11 Verify that sensitive information maintained in memory is overwritten with zeros as soon as it is no longer required, to mitigate memory dumping attacks.