DS-07 Data Security & Protection

Data Retention & Secure Disposal

Data is retained and disposed per policy/regulation.

Domain: Data Security & Protection
Control type: Preventive
Automated / manual: Hybrid
Frequency: Per policy
Framework reference: PDPA; MAS TRM – Data

What good looks like

Data retained for required periods; securely disposed when no longer needed.

Risk if it fails

Regulatory non-compliance; data leakage from disposed media.

How Tess tests it

3 tests — each concludes only on cited evidence.

Retention & secure-disposal policy defined

Design

Procedure: Inspect the policy.
Expected: Periods and method defined.
Sample: 1 (design inspection)
Evidence: Retention policy, disposal records/certificates.

Retention configured per policy/regulation

Operating

Procedure: Inspect configuration.
Expected: Compliant retention.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Retention policy, disposal records/certificates.

Secure disposal evidenced

Operating

Procedure: Sample disposal records.
Expected: Sanitisation/crypto-erase evidenced.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Retention policy, disposal records/certificates.

Evidence Tess looks for

Retention policy, disposal records/certificates.

More in Data Security & Protection

DS-01 Data Classification & Handling DS-02 Network Security / Firewall DS-03 Encryption at Rest DS-04 Encryption in Transit

Want Tess to test DS-07 against your evidence?