Storage Media Sanitization Policies

Information systems capture, process, and store information using a wide variety of media, including paper. This information is not only located on the intended storage media but also on devices used to create, process, or transmit this information. These media may require special disposition in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality.

This standard covers all media containing all information regardless of format or location, including that which is held by third parties on behalf of your organization. Electronic media may be contained in or be a part of Personal or Laptop Computers, Printers, Scanners, Fax Machines, Mobile Devices, Copiers, or Other devices which may allow Temporary or Permanent Storage of Information.

Essentials for Storage Media Sanitization Policies

• The organization must ensure that users and custodians of information are aware of its sensitivity and the basic requirements for media sanitization and secure disposal.
• The organization must ensure that all workforce members, including property management and custodial staff, are made aware of the media sanitization and secure disposal process in order to establish proper accountability for all data.
• The organization must ensure that confidential material is destroyed only by authorized and trained personnel, whether in-house or contracted, using methods outlined in this standard.
• The organization may use service providers for destruction purposes provided that the information remains secure until the destruction is completed. The service providers must follow this standard.
• The organization must ensure that maintenance or contractual agreements are in place and are sufficient in protecting the confidentiality of the system media and information commensurate with the information classification standards.