introduce some disposal of goods requirements with thanks to Richard Litwinczuk

[BenGardiner]

We also have some disposal of goods requirements we would like to add to the matrix. Please see the attached spreadsheet which proposes three new requirements on vendors of high, medium and low criticality respectively.

Telematics Cybersecurity Requirements Matrix.xlsx

• vendors must have a disposal of goods policy which covers the management of all computer equipment and storage media dealing with customer information including but not limited to PII and customer business operations data.
• vendor's disposal of goods policy must forbid disposal in skips, dumps or landfills until it has been processed to remove previously stored information.
• vendor's processes to remove previously stored information must include acceptable processes for magnetic media, solid-state media, printers, scanners, laptops, smartphones, server and deskstop computers.

[BenGardiner]

These additions were reviewed at the RFPCTL workgroup meeting May 20th 2020

• review the addition of M-030

• review the addition of M-040

  • Derek H notes that we should say purge/clear not 'remove' ACTION [X]
  • Sean asks if we have any requirements on removal of information from equipment when that equipment has already been fielded.
  • Urban says that we can send Sean drafts of procedures
  • Derek asks about the split between 030 and 040.
  • He suggests to renumber the 040 refinement requirement into M-031 to demonstrate that it is a refinement ACTION [X]

• review the addition of M-050

  • Derek proposes that we renumber this to M-032 to match the same refinement numbering as before ACTION [X]