How does EchelonGraph detect SOC 2 CC6.5 violations?

EchelonGraph automatically detects SOC 2 CC6.5 violations using scanner rule SOC2-CC6-005. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for SOC 2 CC6.5?

What is your data-disposal procedure for cloud volumes? Physical media? End-of-life databases? Show me the asset-disposal log for the last 6 months. How is cryptographic erasure verified for encrypted-at-rest data? What is your third-party disposal service? Provide certificates of destruction.

🛡️SOC 2 CC6.5Rule: SOC2-CC6-005high

Discontinue Logical and Physical Access Protection of Discarded Data

Description

The entity discontinues logical and physical protections over physical assets, software, and data only after the ability to read or recover data has been diminished.

⚠️ Risk Impact

Old storage media, retired servers, decommissioned cloud volumes, and end-of-life databases contain data that survives the asset's operational life. Without cryptographic erasure or physical destruction, the data is recoverable for years.

🔍 How EchelonGraph Detects This

SOC2-CC6-005Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Establish data-disposal procedures: cryptographic erasure for cloud volumes (encrypt at rest, destroy the key at decommissioning), DoD-grade wiping for physical media, certificates of destruction from third-party services. Track disposal in an asset-disposal log.

💀 Real-World Attack Scenario

A company decommissioned 47 EC2 instances and detached their EBS volumes. The volumes were retained 'in case rollback needed' for 30 days, then deleted via AWS console. However, AWS EBS volumes can be recovered for ~24 hours after deletion if the request hasn't been confirmed asynchronously. A former employee with retained AWS access used this window to restore 12 volumes and exfiltrated archived customer data the company believed was gone.

💰 Cost of Non-Compliance

Data-disposal failures: GDPR Article 17 'right to erasure' violations average €2.5M (CNIL enforcement actions 2024). HIPAA disposal failures: $4.45M average per case (HHS OCR 2024 enforcement summary).

📋 Audit Questions

1.What is your data-disposal procedure for cloud volumes? Physical media? End-of-life databases?
2.Show me the asset-disposal log for the last 6 months.
3.How is cryptographic erasure verified for encrypted-at-rest data?
4.What is your third-party disposal service? Provide certificates of destruction.

🎯 MITRE ATT&CK Mapping

T1485 — Data Destruction

⚡ Common Pitfalls

⛔Trusting cloud provider 'delete' without understanding the actual lifecycle (async deletion + retention windows)
⛔Not maintaining cryptographic keys for encrypted-at-rest data — leading to inability to perform key-destruction-based erasure
⛔Forgetting backup media — primary data is erased but backups retain copies for years

📈 Business Value

Verifiable data disposal is the difference between 'we deleted it' and 'we cryptographically destroyed any possibility of recovery'. Material for GDPR/HIPAA/CPRA-bound organizations and any company processing data with long-tail liability.

⏱️ Effort Estimate

Manual

8-12 hours for procedure documentation + 30 minutes per disposal event for tracking

With EchelonGraph

EchelonGraph monitors data-disposal events; verifies cryptographic erasure completion

🔗 Cross-Framework References

ISO27001-A.8.10NIST-MP-6HIPAA-164.310(d)

Automate SOC 2 CC6.5 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →