Off-Site Equipment Disposal Policy and Procedures
Specification
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the secure disposal of equipment used outside the organization's premises. If the equipment is not physically destroyed a data destruction procedure that renders recovery of information impossible must be applied. Review and update the policies and procedures at least annually, or upon significant changes.
Threat coverage
Architectural relevance
Lifecycle
Data collection, Data curation, Data storage
Design, Training, Supply Chain
Evaluation, Re-evaluation, Validation/Red Teaming
AI Services supply chain
Operations, Maintenance
Data deletion, Model disposal
Ownership / SSRM
PI
Owned by the Cloud Service Provider (CSP)
The Cloud Service Provider (CSP) is responsible for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with cloud computing (processing, storage, and networking) technologies in the context of the services or products they develop and offer. The CSP is responsible and accountable for implementing the control within its own infrastructure/environment. The CSP is responsible for enabling the customer and/or upstream partner to implement/configure the control within their risk management approach. The CSP is accountable for ensuring that its providers upstream implement the control related to the service/product developed and offered by the CSP.
Model
Owned by the Model Provider (MP)
The model provider (MP) designs, develops, and implements the control as part of their services or products to mitigate security, privacy, or compliance risks associated with the Large Language Model (LLM). Model Providers are entities that develop, train, and distribute foundational and fine-tuned AI models for various applications. They create the underlying AI capabilities that other actors build upon. Model Providers are responsible for model architecture, training methodologies, performance characteristics, and documentation of capabilities and limitations. They operate at the foundation layer of the AI stack and may provide direct API access to their models. Examples: OpenAI (GPT, DALL-E, Whisper), Anthropic(Claude), Google(Gemini), Meta(Llama), as well as any customized model.
Orchestrated
Shared Model Provider-Orchestrated Service Provider (Shared MP-OSP)
The MP and OSP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.
Application
Shared Orchestrated Service Provider-Application Provider (Shared OSP-AP)
The OSP and AP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.
Implementation guidelines
Auditing guidelines
1. Examine the organization's policy and procedures related to data destruction. 2. Determine if the policy has been approved, communicated, and reviewed. 3. Determine if a policy exists that addresses the secure destruction of data and for conditions when equipment is reused as opposed to when equipment is destroyed.
Standards mappings
42001: A.2.2 AI Policy 42001: A.2.4 Review of AI Policy 42001: A.4.2 Resource documentation 42001: A.4.3 Data Resources 42001: A.4.4 Tooling Resources 42001: A.2.3 Alignment with other organizational policies 27001: 7.5 (7.5.1 to 7.5.3) Documentation Information 27001: A.5.1 Policies for information security 27001: A.5.4 Management responsibilities 27001: A.5.11 Return of assets 27001: A.5.37 Documented operating procedures 27001: A.6.7 Remote working 27001: A.7.10 - Storage media 27001: A.7.14 - Secure disposal or re-use of equipment 27001: A.8.10 - Information deletion 27002: 5.1 Policies for information security 27002: 5.4 Management responsibilities 27002: 5.11 Return of assets 27002: 7.10 - Storage media 27002: 7.14 - Secure disposal or re-use of equipment
Addendum
New dedicated controls or a formal extension aligned with clauses like 27001 A.7.14 and A.8.10.
No Mapping
Addendum
Mandate organizations to establish documented, approved, and communicated policies for secure disposal of off-site equipment. Require procedures to ensure irretrievable destruction of data on equipment prior to disposal or reuse. Require periodic (at least annual) review and updating of these policies.
GV-1.7-002 GV-4.1-003
Addendum
There's no reference to policies or procedures that provide explicit instructions on the removal, decommissioning, or otherwise destroying equipment used outside of the organization's facilities.
AM-02 AM-04
Addendum
N/A
AI-CAIQ questions (3)
Are policies and procedures for the secure disposal of equipment used outside the organization's premises established, documented, approved, communicated, enforced, and maintained?
Is a data destruction procedure applied that renders information recovery information impossible if equipment is not physically destroyed?
Are all policies and procedures for the secure disposal of equipment used outside the organization's premises reviewed and updated at least annually, or upon significant changes?