All Agency-owned storage media shall be sanitized or destroyed in accordance with NIST SP 800-88 before leaving the custody of the Agency.
Data stored on disposed-of media is inappropriately disclosed to unauthorized parties due to ineffective data disposal procedures.
The organization:
a. Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and
b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
The organization has implemented procedures to dispose of media containing departmental data in a manner that adequately protects the confidentiality of the data and renders it unrecoverable (e.g., as overwriting or modifying the electronic media to make it unreadable or indecipherable or otherwise physically destroying the electronic media), and in accordance with organizational records retention schedules.
Prior to the sale or transfer of data processing equipment, to other than another Texas state agency or agent of the state, state agencies shall assess whether to remove data from any associated storage device.
Electronic state records shall be destroyed in accordance with §441.185, Government Code. If the record retention period applicable for an electronic state record has not expired at the time the record is removed from data process equipment, the state agency shall retain a hard copy or other electronic copy of the record for the required retention period.
If it is possible that restricted personal information, confidential information, mission critical information, intellectual property, or licensed software is contained on the storage device, the storage device should be sanitized or the storage device should be removed and destroyed. Additional information on sanitization tools and methods of destruction (that comply with the Department of Defense 5220.22-M standard) are provided in the “Sale or Transfer of Computers and Software” guidelines available at http://www.dir.texas.gov.
State agencies shall keep a record/form (electronic or hard copy) documenting the removal and completion of the process with the following information:
• date;
• description of the item(s) and serial number(s);
• inventory number(s);
• the process and sanitization tools used to remove the data or method of destruction; and
• the name and address of the organization the equipment was transferred to.
Obtain information system media protection policy; procedures addressing media sanitization and disposal; NIST Special Publication 800-88; media sanitization records; audit records; other relevant documents or records and ascertain if :
(I)the organization identifies information system media requiring sanitization and the appropriate sanitization techniques and procedures to be used in the process.
(ii)the organization sanitizes identified information system media, both paper and digital, prior to disposal or release for reuse.
(iii)information system media sanitation is consistent with NIST Special Publication 800-88.
