Suggested Secure Media Destruction Standard
April 9, 2012Scope
This standard applies to all corporate data, including corporate customer data, whether located at a corporate facility or a third party facility, and whether handled by corporate employees, or corporate contractors, vendors, third party service providers, or their staff or agents. This standard also applies to all wholly owned and partially owned subsidiaries.
Furthermore, this standard applies to all data storage mediums that leave the control of the designated facility/ IT Custodian for where it was used. For example, if the medium is to be decommissioned or repurposed and is handed over to an external handler that is not authorized to view the contents of the medium, the media destruction standard must be followed. If the medium is to be repurposed and stays within control of an authorized handler, the medium may only be formatted and repurposed for the level of sensitivity (or higher) that was previously stored on the medium, e.g. a hard disk with private data may simply be reformatted and repurposed for private (or higher) data, however a medium containing “Confidential” data can only be repurposed to store “Confidential” data, repurpose for the use of any lower data classification level is not allowed without first being sanitized in accordance with this standard.
The guidance in this standard shall be considered the minimum acceptable requirements for the destruction of applicable corporate data. This standard sets forth expectations across the entire organization. Additional guidance and control measures may apply to certain areas of corporate. This standard shall not be construed to limit application of more stringent requirements where justified by business needs or assessed risks.
Media Destruction Standard
Corporate’s business functions rely upon the integrity, confidentiality, and availability of its computer systems and the information assets stored within them. Responsibilities and procedures for the management, operation and security of all information processing facilities must be established. This Policy supports the stated objectives.
It is the policy of Corporate to provide safe, secure usage of data systems to its employees, contingent workforce, and other properly authorized persons, for the purpose of enabling and supporting the conduct of business. Usage of data systems shall be in conformance with relevant corporate policies, and shall not, whether by intent or mistake, increase the risks to corporate information assets or business functions.
Roles & Responsibilities
The End User is responsible for the creation of data, usage of the related data services in a manner consistent with this Policy, and when such activity is within their span of control, the retention and disposal of data sent and received.
The IT Custodian is responsible for defining and implementing security measures and controls to ensure expired data mediums containing non-public data are properly and securely disposed of in accordance to this standard.
The Chief Information Security Officer has overall responsibility for security policy, and in conjunction with the Information Security Department will be responsible for defining, implementing, managing, monitoring and reviewing compliance with this standard.
The Information Security Department will assist End Users and IT Custodians in assessing, defining, implementing, managing and monitoring appropriate controls and security measures.
The Information Security Department will audit and review the adequacy of controls and security measures in place to measure and enforce conformance to this standard.
Exceptions under this policy must be detailed in a Risk Acceptance form approved by the System/Application Business Owner, an Executive Lines of Business representative and the IT Custodian and the Information Security Compliance Department.