Sanitize or destroy media containing FCI before disposal or reuse

Implementation steps

1. 1

   Inventory media that has stored FCI

   Identify all types of media in your environment that have held or may have held FCI: laptop and desktop hard drives, server drives, external drives, USB drives, backup tapes, optical media, and printed documents. Build a tracking process so you know which devices have handled FCI and need sanitization before disposal.

   excel snipe-it
2. 2

   Implement software-based sanitization for reusable media

   For drives that will be reused internally, use NIST SP 800-88-compliant sanitization tools that overwrite all sectors. For SSDs and NVMe drives, use the manufacturer's secure erase command or ATA Secure Erase, as traditional overwriting may leave data in over-provisioned areas. Verify sanitization completed successfully and log the result.

   blancco eraser nwipe
3. 3

   Use physical destruction for drives leaving the organization

   For media being disposed of, donated, or sent to a recycler, physical destruction (shredding or degaussing followed by shredding) is the most reliable method. Use a certified media destruction vendor who provides a certificate of destruction. For drives with encryption enabled, cryptographic erasure (destroying the encryption key) may be acceptable for some media types.

4. 4

   Establish a documented sanitization process

   Write and follow a media sanitization procedure that specifies the method for each media type, who is responsible, and how results are documented. Maintain a sanitization log recording the device identifier, sanitization method, date, and the person who performed it.

   excel servicenow

Evidence required