Wipe all data storage media clean prior to disposal or redeployment.

UCF ID: 01643

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain a systems redeployment or disposal policy. [UCF Control ID 00901]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Development and Acquisition, Pg 33; FFIEC IT Examination Handbook – Operations, July 2004, Pg 21; US Department of Energy Cyber Security Program Media Clearing, Purging, and Destruction Guidance: DOE CIO Guidance CS-11, January 2007, § 6.b(3), § 6.b(4); North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-007-1 R7.1, CIP-007-1 R7.2; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-21.a, § 2-21.d, App E; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 4.7.3, § 5.6.10, § 8.4, Exhibit 4 MP-6; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, MP-6; The Standard of Good Practice for Information Security, CB2.6.2(d), CI3.1.2(a), CI3.1.2(e), CI3.1.6(a), UE6.4.4(d); DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2, § 2.2 (WIR1015); DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4, § 2.2 (WIR1170); DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4, § 2.2 (WIR2015); ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 9.2.6, § 10.7.1, § 10.7.2; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.9.2.6; ISO/IEC 27002 Code of practice for information security management, 2005, § 9.2.6, § 10.7.1, § 10.7.2; Australian Government ICT Security Manual (ACSI 33), § 3.4.28, § 3.4.32; Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008, § 4.1.4; Guidelines for Media Sanitization, NIST SP 800-88, September, 2006, Table A-1; State of Arizona Standard P800-S880, Revision 2.0: Media Sanitation/Disposal, Rev. 2.0, § 4.3; California OPP Recommended Practices on Notification of Security Breach, May 2008, Part I ¶ 11; Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, DRAFT, § 4.3 (MP-6); DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3, § 2.2 (WIR3015)

Banking and Finance Guidance

Media should be destroyed by overwriting the data or degaussing the tapes/disks. [Pg 33, FFIEC IT Examination Handbook – Development and Acquisition]

Policies and procedures should be developed for erasing all electronic media prior to disposal. [Pg 21, FFIEC IT Examination Handbook – Operations, July 2004]

Energy Guidance

The requirements for purging, clearing, and physically destroying Type I Magnetic Tape, Type II Magnetic Tape, Type III Magnetic Tape, Floppies, Zip Drives, Bernoulli Boxes, Removable Hard Disks, Non-Removable Hard Disks, Magneto-optical: Read Only Optical Disk, Write Once Read Many (WORM) Optical Disk, Read Many Write Many Optical Disk, Flopticals, Helical-scan tapes, Cartridges, Optical, CD-R, CD-RW, CD-ROM, DVD, Magnetic Bubble Memory, Magnetic Core Memory, Magnetic Plated Wire, Magnetic-Resistive Memory, Read-Only Memory (ROM), Random Access Memory (RAM) (Volatile), Programmable ROM (PROM), Erasable PROM (UV PROM), Electrically Alterable PROM (EAPROM), Electrically Erasable PROM (EEPROM), Flash Erasable PROM (FEPROM), Printer Ribbons, Platens, Toner Cartridges, Laser Drums, Fax Machines, Cathode-Ray Tubes (if there is classified burn-in), Cell Phones, Personal Digital Assistants (PDAs), Routers, and Copy Machines are listed in Tables 1 through 3. Additional processes and requirements for clearing unclassified media should include using only software and hardware that is compatible with the media; should ensure any storage media that does not contain sensitive unclassified information (SUI) can be cleared with one-pass overwrites; should maintain disposal records; and should ensure if the media contains Government information and will be reused by a user with a different access level that the media should be cleared. Any unclassified storage media that will be released to the public or reused on a system with a security classification less than the original media should be purged. Additional processes and requirements for purging unclassified media should include: using a three-pass overwrite or degaussing any media that contains or had contained SUI; maintaining disposal records; and destroying any media that cannot be purged. Additional processes and requirements for clearing classified storage media should include: using only software and hardware that is compatible with the media; ensuring if the media is to be reused on a different system with the same or more restrictive classification or by a potential user who does not have a need-to-know, the media should be cleared; handling the media in accordance with the applicable classification level; and maintaining disposal records. Additional processes and requirements for purging classified storage media should include: purging any media that is to be reused at a lower classification level; destroying any media that cannot be purged; ensuring classified media that has been purged is not released to outside organizations; and maintaining disposal records. [§ 6.b(3), § 6.b(4), US Department of Energy Cyber Security Program Media Clearing, Purging, and Destruction Guidance: DOE CIO Guidance CS-11, January 2007]

Prior to the disposal of such assets, the Responsible Entity shall destroy or erase the data storage media to prevent unauthorized retrieval of sensitive cyber security or reliability data.
Prior to redeployment of such assets, the Responsible Entity shall, at a minimum, erase the data storage media to prevent unauthorized retrieval of sensitive cyber security or reliability data. [CIP-007-1 R7.1, CIP-007-1 R7.2, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

US Federal Security Guidance

Media that will remain in the facility should be cleared and be controlled at the sensitivity level of its prior classification. If the media is leaving the facility, it should be purged and declassified.
Table 2-1, Table 2-2 of this document and/or the Clearing and Purging Table Tab for the approved techniques for clearing and purging Magnetic Bubble Memory; Magnetic Core Memory; Magnetic Plated Wire; Magnetic-Resistive Memory; Read-Only Memory (ROM); Random Access Memory (Volatile); Programmable Read-Only Memory (PROM); Erasable PROM; Electrically Alterable PROM; Electrically Erasable PROM; Type I Magnetic Tape; Type II Magnetic Tape; Type III Magnetic Tape; Floppy Disks; Hard Disks; Read Only Disks; Write Once, Read Many (WORM) Disks; and Read Many, Write Many Disks. Media that contains or has contained Sensitive Compartmented Information (SCI) may not be overwritten; it must be degaussed before being released. Media that has ever contained Cryptographic material may not be sanitized and must be destroyed.
Table E-1, Table E-2 and/or the Clearing and Purging Table Tab contains the sanitizing procedures for Type I Magnetic Tape; Type II Magnetic Tape; Type III Magnetic Tape; Floppy Disks; Bernoulli Disks; Removable Hard Disks; Non-removable Hard Disks; Optical Disks Read Only; WORM Disks; Read Many, Write Many Disks; Magnetic Bubble Memory; Magnetic Core Memory; Magnetic Plated Wire; Magnetic-Resistive Memory; Dynamic Random Access Memory (Volatile); Static Random Access Memory (SRAM); PROM; Erasable PROM; Electrically Erasable PROM (EEPROM); Flash EPROM; Visual Displays; Printer Platens and Ribbons; Laser Printer Drums; Belts; and Cartridges that contain SCI material. [§ 2-21.a, § 2-21.d, App E, Army Regulation 380-19: Information Systems Security, February 27, 1998]

US Internal Revenue Guidance

Electronic media that is going to be reused or disposed of, or leaves the physical control of the organization (for maintenance or other servicing), must have all files overwritten or degaussed. All data tracks must be overwritten a minimum of 3 times or a magnetic strip must be run over and under the surface a minimum of 3 times. [§ 4.7.3, § 5.6.10, § 8.4, Exhibit 4 MP-6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

Organizational records and documents should be examined to ensure paper and digital media are sanitized using approved techniques and procedures in accordance with NIST Special Publication 800-88 prior to disposal and reuse; sanitization equipment is tested for proper functioning; sanitizing actions are tracked and documented; and specific responsibilities and actions are defined for the implementation of the media sanitization and disposal control. Any problems discovered during the implementation of the media sanitization and disposal control should be documented and used to improve the controls.
Interviews should be conducted with personnel who dispose of media to ensure media is sanitized appropriately. [MP-6, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

When a handheld device is reissued to another individual or is being disposed of, the memory should be erased by completely overwriting it, so the data cannot be recovered or analyzed. If there are no proven procedures for erasure available for the handheld device, the memory should be physically destroyed. [§ 4.1.4, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008]

The requirements for Paper and Microforms, Cell Phones, Personal Digital Assistants (PDAs), Routers, Copy Machines, Fax Machines, Floppies, ATA Hard Drives, USB Removable Media with Hard Drives, Zip Disks, SCSI Drives, Reel and Cassette Format Magnetic Tapes, CDs, DVDs, Compact Flash Drive SD, Dynamic Random Access Memory (DRAM), Electronically Alterable PROM (EAPROM), Electronically Erasable PROM (EEPROM), Erasable Programmable ROM (EPROM), Field Programmable Gate Array (FPGA) Devices (Nonvolatile), Field Programmable Gate Array (FPGA) Devices (Volatile), Flash Cards, Flash EPROM (FEPROM), Magnetic Bubble Memory, Magnetic Core Memory, Non Volatile Memory (NOVRAM), PC Cards or PCMCIA Cards, Programmable ROM (PROM), RAM, ROM, USB Removable Media without Hard Drives, Smart Cards, and Magnetic Cards are listed in this section. [Table A-1, Guidelines for Media Sanitization, NIST SP 800-88, September, 2006]

The organization should ensure all Personally Identifiable Information (PII) is properly sanitized prior to being disposed of or released for reuse. [§ 4.3 (MP-6), Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, DRAFT]

US State Laws and Protectorates Guidance

All sensitive data should be removed from media prior to media being sent offsite for repair work. [§ 4.3, State of Arizona Standard P800-S880, Revision 2.0: Media Sanitation/Disposal, Rev. 2.0]

Dispose of records and equipment containing personal information in a secure manner. [Part I ¶ 11, California OPP Recommended Practices on Notification of Security Breach, May 2008]

Other Configuration Guidance

Prior to disposing of a wireless e-mail handheld PED (e.g., sold, transferred to another DoD or other government agency, etc.), the procedures found in the appropriate wireless push email system checklist are followed.
For Windows Mobile handhelds
The handheld manufacturer’s procedure must be followed to wipe all user/application addressable memory and return the device and all memory to factory default status. [§ 2.2 (WIR1015), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2]

Before a BlackBerry is issued to a user, the System Administrator should perform the "Wipe (or Nuke) Handheld" command, reinstall all appropriate software from a trusted source, and ensure the IT policy has been implemented on the device. [§ 2.2 (WIR1170), DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4]

When disposing of wireless e-mail handheld PEDs, the appropriate wireless push email system checklist should be followed and all memory should be wiped clean and the device should be reset to the factory default status.
[For Windows Mobile handhelds: The handheld manufacturer’s procedure must be followed to wipe all user/application addressable memory and return the device and all memory to factory default status.] [§ 2.2 (WIR2015), DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4]

When disposing of wireless e-mail handheld PEDs, the appropriate wireless push email system checklist should be followed and all memory should be wiped clean and the device should be reset to the factory default status. [§ 2.2 (WIR3015), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3]

ISO Guidance

Prior to disposing of equipment or sending it out for repair, the storage media should be checked for any sensitive information. If sensitive information is contained on the media, it should be physically destroyed, deleted, or overwritten in such a way that the data is not retrievable. [§ 9.2.6, § 10.7.1, § 10.7.2, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

Before any equipment is disposed, the storage media should be checked to ensure that all sensitive information and software have been either removed or securely overwritten. [Annex A.9.2.6, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Prior to disposing of equipment or sending it out for repair, the storage media should be checked for any sensitive information. If sensitive information is contained on the media, it should be physically destroyed, deleted, or overwritten in such a way that the data is not retrievable. [§ 9.2.6, § 10.7.1, § 10.7.2, ISO/IEC 27002 Code of practice for information security management, 2005]

General Guidance

All physical media should be securely disposed when it is no longer needed. [CB2.6.2(d), CI3.1.2(a), CI3.1.2(e), CI3.1.6(a), UE6.4.4(d), The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

If hardware or media has errors, it either should be repaired and then sanitized, maintained at the highest classification of information contained on it, or physically destroyed. All media should be sanitized by an approved method prior to being used in a new environment. [§ 3.4.28, § 3.4.32, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of used backup or archive media sanitized prior to reuse or disposal. [UCF Control ID 02123]