Sanitization and Disposal of Information Resources Policy - Monstrous Media Group - The World's Best Marketing Agency, Probably.

Published: March, 2010
Revised: March, 2023

I. Introduction

A large volume of Data is stored on Systems (as each such term is defined in the MMG Information Security Charter (the “Charter”) https://www.monstrousmediagroup.com/isc throughout MMG. A substantial amount of this Data consists of Sensitive Data or Confidential Data (as each such term is defined in the Charter). Unauthorized disclosure of such Data may expose MMG to legal liability. Data sanitization is the deliberate and permanent removal of Data from an Information Resource. This Policy defines the appropriate sanitization and disposal methods to be used.

Capitalized terms used herein without definition are defined in the Charter.

II. Policy History

The effective date of this Policy is March 30, 2010.
Reviewed and/or revised March 14, 2023.

III. Policy Text

Each System Owner, Data Owner, IT Custodian and User is responsible for determining if Sensitive Data or Confidential Data is present on the Information Resource by, for example, periodically scanning the Information Resource using software provided by MMGIT and sanitizing all Information Resources with hard drives and Removable Media under his/her control prior to removal from MMG in accordance with the following guidelines:

A. Non-Sensitive and Non-Confidential Data.

Data other than Sensitive Data or Confidential Data may be deleted and/or re-formatted.

B. Sensitive Data and Confidential Data

Sensitive Data and Confidential Data.

Sensitive Data and Confidential Data must be sanitized or disposed of in a manner that leaves

the Data fully unrecoverable. Except as provided below, this can be accomplished by using

one of the following methods:

Data deletion software provided by MMGIT;
Information Security Office-approved destruction hardware to physically render the Data storage media inoperable, such as degaussing, shredding, pulverizing or melting;
Release of the Information Resource containing storage media to MMGIT for destruction and disposal; or
Release of the Information Resource containing storage media to an Information Security Office-approved vendor.

Sensitive Data constituting ePHI must be sanitized and disposed of.

All paper based Sensitive Data or Confidential Data must be destroyed using cross-shredding or

through a contract with an Information Security Office approved-vendor.

IV. Cross References to Related Policies

The Information Security Policies and certain additional documentation referred to in this Policy are listed in Appendix A hereto.

Appendix A

Related Policies

Policies: https://www.monstrousmediagroup.com/isc