The purpose of this process is to protect the confidentiality of our client’s sensitive information by properly storing and destroying media that is no longer in use. It also offers protections for centrexIT as it captures the evidence necessary to support protocols for logging media serial numbers and providing destruction evidence for those media serial numbers. This procedure ensures cIT is following NIST 800-88 protocols, as well as, HIPAA destruction requirements.

Aspects of this procedure to be carried out by the Service Desk; Provisioning Technician, Field Support, Service Desk Manager and Service Desk Team Leads as well as the Office Manager. This procedure applies to all centrexIT (CIT) owned storage media and any storage media managed on behalf of any client.

---

1. Field Support (all client facing roles) - May be asked to bring e-waste to the office which could include media like hard drives either loose or still in devices.
2. Provisioning Technician - Responsible for pulling media from devices and logging all media in “Client Media Sanitization” log as well as labeling media and storing them in locked cabinet in provisioning room.
3. Service Desk Team Lead or Manager - Responsible for monthly audit of “Client Media Sanitization” and giving the drives to Office Manager.
4. Office Manager - Responsible for taking the media provided to them each month and storing them in a secure/locked limited access room at centrexIT HQ.
5. Office Manager - Responsible for coordinating yearly destruction of media with a contracted destruction/shredding company.
6. Office Manager - Responsible for storing certificates of destruction with accounting department and working with vCIO team to provide certificates of destruction to clients who requested/require them.
7. Secure Media Sanitization Vendor - Vendor providing secure electronic media destruction services that meet CIT vendor requirements, HIPAA ePHI destruction requirements and provide certificates of destruction in support of this SOP.

---

1. What is Media Sanitization: Media sanitization, sometimes referred to as “data sanitization,” is media destruction conducted in a way that reasonably guarantees sensitive information cannot be easily reconstructed or retrieved.
2. What is NIST? The National Institute of Standards and Technology (NIST) is a physical science laboratory and a nonregulatory agency of the United States Department of Commerce. Founded in 1901, it has a long history of developing measurements, metrics, and standards that can be applied to the science and technology industries. This makes NIST the ideal institution for offering guidance on how organizations and their employees can properly handle confidential data stored on electronic devices.
3. What is NIST 800-88? NIST 800-88, also called NIST Special Publication 800-88 (NIST SP 800-88), Guidelines for Media Sanitization, is a U.S. government document providing robust methodological guidance for erasing data from storage media (media sanitization). Its objective is to ensure that any data found on storage media is irretrievable. Originally established for government use, NIST 800-88 is now widely adopted and recognized by governments and corporations alike as the best-in-class method for ensuring effective media sanitization.
4. How is this relevant? In its guidelines, NIST uses the terms “Clear,” “Purge,” and “Destroy” to refer to various methods for erasing end-of-life data from storage devices. In this Procedure we are going to focus on NIST Destroy. Destroy renders target data recovery infeasible using physical destruction techniques, such as shredding, smelting, pulverizing, and incinerating.

• Security level: Destroy

• Level of data protection: Higher than Clear and Purge

• Can be used for: Floppy disks, hard disk drives (ATA, SCSI), optical disks, flash media (USB sticks, memory cards, SSDs)

• Pros: It can be used when a medium is beyond overwriting methods due to its physical condition or when it contains highly confidential data.

• Cons: The media cannot be reused, and destroying them does not reduce their lifespan but ends their life, contributing to e-waste.

5. What is considered Storage Media? Any data storage device including but not limited to: Disk Drives (spinning or solid-state), mobile devices, removable media via USB or other connection, DVDs, CDs and floppy drives.
6. What is HIPAA ePHI? The HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of ePHI from electronic media before the media are made available for reuse. Depending on the circumstances, appropriate methods for removing ePHI from electronic media prior to reuse or disposal may be by clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) the information from the electronic media. If circumstances warrant the destruction of the electronic media prior to disposal, destruction methods may include disintegrating, pulverizing, melting, incinerating, or shredding the media. Covered entities may contract with business associates to perform these services for them.Depending on the circumstances, appropriate methods for removing ePHI from electronic media prior to reuse or disposal may be by clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) the information from the electronic media. If circumstances warrant the destruction of the electronic media prior to disposal, destruction methods may include disintegrating, pulverizing, melting, incinerating, or shredding the media.

---

1. Receiving Equipment and Media: Storage media can end up at the centrexIT office in a number of different ways. One, a client creates a request to have equipment picked up for e-waste. Two, a computer brought in for provisioning is end of life or beyond repair and is deemed to be e-waste. In either case when there is a requirement to e-waste the equipment and destroy the media the process for media sanitization needs to be followed.

• Any client facing role at centrexIT may be in a position to be provided e-waste to bring to the centrexIT office for disposal. It is crucial that there is always a service ticket created for these requests so it can be documented what equipment was brought in and the serial numbers of the devices and media can be documented.

• When the equipment is dropped off it needs a warm hand off with the Provisioning Technician so the necessary information can be captured for the “Client Media Sanitization” log.

• The same process applies to any CIT owned equipment.

2. Documentation

• The Provisioning Technician receives the equipment and locates the corresponding ticket in the CIT ITSM Platform.

• The Provisioning Technician verifies that descriptions and serial numbers are documented in the ticket for anything picked up and adds time to the ticket for any time necessary to do this as well as any time associated with pulling the media from the device(s).

• The Provisioning Technician documents the serial numbers of the media pulled in the ticket as well.

• The Provisioning Technician locates the “Client Media Sanitization” log for the corresponding year. Within the log (Excel spreadsheet) there is a tab for every month in that year. The Provisioning Technician logs all pertinent information required in the log for each media item to be destroyed in the month this is occurring. If this data is being captured for centrexIT the Provisioning Technician captures this data in the “CIT Media Sanitization” log.

• If a client is regulated or the client requires a separate certificate of destruction they will need their own log created using the same template used for the Client and CIT Sanitization logs.

• There is a barcode scanner that makes capturing the serial number of the media in the log much easier.

• The Provisioning Technician is responsible for creating all Logs and storing in designated area in Sharepoint.

3. Labeling

• Once the media is logged the Provisioning Technician places a round red sticker on the media and writes the number of the line on the log where the media information was captured. This number is written directly on the red round sticker.

• If the media belongs to a regulated client or the client requires a certificate of destruction it will also have a green round sticker placed on the media simply to indicate this. The green sticker will not have a number written on it.

• The Provisioning Technician will place the logged and labeled media in a locked cabinet in the Provisioning Department at centrexIT HQ where they will remain until the end of the month when the audit is done on all media received that month.

• It is important that the green and red stickers are not placed on top of one another.

• It is important the green and red stickers do not cover up any bar codes or media serial numbers.

4. Month End

• At the end of the month a Service Desk Team Lead or Manager along with the Provisioning Technician will review/audit all media that were logged for that given month.

   The audit process consists of the following checks:
   1. The correct Log was used (Client, CIT, or Client specific)
   2. The data was documented on the correct monthly tab of the log.
   3. All pertinent and necessary data was documented in all columns of the log.
   4. All media have a red sticker on them with a number that correlates to the row of the log which captures the info for that media including serial number.
   5. If the client requires a certificate of destruction or is regulated there is also a green round sticker on the media.
   6. The stickers don't cover each other, a bar code or the media serial number.
   7. The Service Desk Team Lead or Service Desk Manager document on the bottom of the monthly log sheet the date and their full name that the audit was performed.
      Example: Audited by Katie McEvoy 5/9/2023.
   8. The media are given to the Office Manager to be placed in a secure locked area in centrexIT HQ until they are to be destroyed/shredded.

5. Roles

• Office Manager ensures that any media given to them is stored in a secure/locked/limit access area in the centrexIT office until it is destroyed.

• Office Manager ensures that any media with green stickers are labeled with the client name and kept separate so they can easily be identified when it is time for them to be destroyed and we can request separate certificates of destruction for that client media from the destruction vendor.

• Once a year Office Manager contracts Secure Media Sanitization Vendor to destroy the media. On average we accumulate 300-350 pieces of media a year.

• The vendor will provide certificates of destruction for all media destroyed so we have evidence of all serial numbers of media destroyed which correlate back to the logs and tickets.

• Office Manager to give the certificates of destruction to accounting to be stored in the accounting office for a minimum of 7 years.

• Office Manager will coordinate with vCIO’s to ensure that any regulated or client that requested a separate certificate of destruction is provided their certificate.

---

1. All media received by centrexIT are logged in the correct log as indicated above in the process.
2. Once logged all media received have been properly labeled and stored locked up in the provisioning room until they are again audited at the end of the month.
3. Once the logs are audited at the end of the month and all media accounted for they are then moved to a secure location where they will remain locked until they are destroyed by a contracted secure media sanitization vendor.
4. All media is shredded/destroyed by contracted vendor has provided a certificate of destruction which includes the serial numbers of all media shredded.
5. Clients that require their own certificates of destruction have been provided their certificates of destruction.
6. Media is destroyed annually

---

• NIST 800-88 https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

• HIPAA ePHI https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html#:~:text=The%20Security%20Rule%20protects%20a,%22%20(e%2DPHI).

---

1. Client Media Sanitization Log