MP-6(1) Media Sanitization | Review, Approve, Track, Document, and Verify

Description

Organizations review and approve media to be sanitized to ensure compliance with records retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken and personnel who performed the verification, and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal.

Applicability

The information resource owner, or designee, is responsible for ensuring that all requirements of this Control are satisfied.

Implementation

1. Prior to the sale or transfer of data processing equipment, to other than another Texas state agency or agent of the state, state agencies shall assess whether to remove data from any associated storage device.
2. Electronic state records shall be destroyed in accordance with Texas Government Code Section 441.185 and in compliance with the state agency’s records retention schedule. If the record retention period applicable for an electronic state record has not expired at the time the record is removed from data process equipment, the state agency shall retain a hard copy or other electronic copy of the record for the required retention period.
3. If it is possible that restricted personal information, confidential information, mission critical information, intellectual property, or licensed software is contained on the storage device, the storage device should be sanitized or the storage device should be removed and destroyed. Additional information on sanitization tools and methods of destruction (that comply with the Department of Defense 5220.22-M standard) are provided in the “Sale or Transfer of Computers and Software” guidelines available at https://dir.texas.gov/resource-library-item/sale-or-transfer-computers-and-software.
4. State agencies shall keep a record/form (electronic or hard copy) documenting the removal and completion of the process with the following information:
   1. date;
   2. description of the item(s) and serial number(s);
   3. inventory number(s);
   4. the process and sanitization tools used to remove the data or method of destruction; and
   5. the name and address of the organization the equipment was transferred to.

Revision History

Last Updated: February 21, 2025

Previous Versions:

• June 29, 2023
• May 31, 2022
• March 25, 2021
• September 16, 2019