Data Destruction and Sanitization Policy (Client Focus)

**1.0 Purpose**

Define requirements for secure sanitization and destruction of data from devices and media at transfer, service, reuse, or end-of-life.

**2.0 Scope**

Applies to all company-controlled devices and media containing business data, including endpoints, servers, storage arrays, and removable media.

**3.0 Roles and Responsibilities**

- **IT Operations**: Execute sanitization/destruction per standards; maintain records.
- **Security**: Approvals, oversight, and audits.
- **Asset Management**: Coordinate logistics and certificates; update CMDB.

**4.0 Standards and Methods**

- Follow NIST SP 800-88 Rev.1 for Clear, Purge, or Destroy based on media type and reuse.
- Use approved tools and procedures; document method, tool, operator, witness, and timestamps.

**5.0 Triggers**

- Device reassignment, RMA/repair, lease return, donation/recycling, or disposal.

**6.0 Chain of Custody and Transport**

- Maintain custody records for data-bearing devices; use tamper-evident packaging and tracked carriers.

**7.0 Verification and Certification**

- Verify sanitization/destruction (hash checks, visual inspection, or vendor certificate).
- Retain certificates and logs with asset records.

**8.0 Third-Party Vendors**

- Use vetted vendors with contractual obligations; obtain certificates of destruction.

**9.0 Exceptions**

Require documented justification, risk assessment, and Security approval with compensating controls.

**10.0 Review**

Review annually or upon significant operational changes.