Data persistence — are you able to delete information?

Questions 69 and 70 — when the provider scales down or ends services, or reuses or throws away equipment, see if you can delete information to keep it secure.

Questions 69 and 70 — data persistence

Table 1 lists who is responsible for answering each question.

Context and help for questions 69 and 70

Record your answers to these questions in either:

Questions to answer

  1. Does the service provider have an auditable process for the secure sanitisation of storage media before it is made available to another customer?
  2. Does the service provider have an auditable process for secure disposal or destruction of information and communications technology (ICT) equipment and storage media that contain customer data?

Table 1: Who answers each question
Entity Questions to answer
Government organisation None
Service provider 69, 70

Where to find the service provider’s answers

You can get the answers to the service provider’s questions from a combination of:

  • direct communication with the provider
  • the provider’s policies and audit reports on their website
  • previous assessments by other government organisations.

If you do not have the service provider’s answers

If you need higher assurance for the information, consider a different public cloud service if:

  • the provider does not give you their answers or other information you need for your risk assessment
  • you cannot get acceptable third-party assurance
  • there are no ways to lessen the risk of this incomplete information.

Independent assurance reports — New Zealand Information Security Manual

Context and help for questions 69 and 70

The following guidance gives you context and help for answering questions about data persistence.

Direct contracts — check for information you can use

Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:

NZ government agreements and contracts — check for certification documents you can use

You can use certification documents to help with your risk assessment of using either:

  • an all-of-government agreement
  • a Marketplace contract.

To get these, contact the security team at the Department of Internal Affairs at ictassurance@dia.govt.nz.

Services are scaled down or end

Make sure the service provider offers ways to delete information when it either scales down or stops the use of its service.

Equipment is reused or thrown away

See if the service provider has a process to make sure that, when reusing or disposing of equipment, it securely wipes data from:

  • ICT equipment
  • storage media — such as hard disk drives and backup tapes.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated