While reading through the Certification Practice Statement (CPS) v2.4 this caught my eye:
5.1.7 Waste disposal
ISRG prohibits any media that contains or has contained sensitive data from leaving organizational control in such a state that it may still be operational, or contain recoverable data. Such media may include printed documents or digital storage devices. When media that has contained sensitive information reaches its end of life, the media is physically destroyed such that recovery is reasonably believed to be impossible.
I saw a very interesting vendor demonstration several years ago. Because of reconstruction software it is usually not enough to shred a document. Usually you want to burn it after shredding.
Which leads to the question, if shredded documents can be reconstructed and sensitive material does not leave the organization, then does Let’s Encrypt burn its sensitive trash? Or is a different control used? Or is the risk accepted?
Thanks in advance.