MP-6 Media Sanitization

Description

This Control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices.

The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal.

Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal.

Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document.

NSA standards and policies control the sanitization process for media containing classified information.

Applicability

This Control applies to all information resources managed by the university.

The owner of an information resource, or designee, is responsible for ensuring that the measures described in this Control are implemented.

Implementation

TAMU-CC shall:

1. Sanitize confidential and controlled system media prior to disposal, release out of organizational control, or release for reuse using data-wipe and over-write in accordance with applicable federal and organizational standards and policies, Prior to the sale or transfer of data processing equipment, to other than another Texas state agency or agent of the state, TAMU-CC shall assess whether to remove data from any associated storage device; and
2. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
   1. If it is possible that restricted personal information, confidential information, mission critical information, intellectual property, or licensed software is contained on the storage device, the storage device should be sanitized or the storage device should be removed and destroyed. Additional information on sanitization tools and methods of destruction (that comply with the Department of Defense Directive 5220.22-M: National Industrial Security Program Operating Manual [DoD 5220.22-M] standard) are provided in the “Sale or Transfer of Computers and Software” guidelines available at Texas Department of Information Resources website.
   2. Electronic state records shall be destroyed in accordance with Texas Government Code, 441.185: Record Retention Schedules [TGC 441.185 [PDF]]. If the record retention period applicable for an electronic state record has not
   3. expired at the time the record is removed from data process equipment, the state agency shall retain a hard copy or other electronic copy of the record for the required retention period.
3. TAMU-CC shall keep a record/form (electronic or hard copy) documenting the removal and completion of the process with the following information:
   1. date;
   2. description of the item(s) and serial number(s);
   3. inventory number(s);
   4. the process and sanitization tools used to remove the data or method of destruction; and
   5. the name and address of the organization the equipment was transferred to.

Revision History

Last Updated: February 21, 2025

Previous Versions:

• June 29, 2023
• May 31, 2022
• March 25, 2021
• September 16, 2019