|
Booklet:
Operations Section: Risk Mitigation and Control Implementation Subsection: Disposal of Media |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
Proper
disposal of media is essential protect against reputational exposure and
to ensure compliance with the Gramm-Leach-Bliley Act (GLBA) regarding
the safeguarding of customer information . Management should have procedures
for the destruction and disposal of media containing sensitive information.
These procedures should be risk-based relative to the sensitivity of the
information and the type of media used to store the information. For example,
prior to disposing of electronic media containing sensitive customer information,
they should be degaussed as a matter of standard procedure; obsolete optical
media, such as “write once, read many times" (WORM), should
be destroyed or defaced so that the data is unrecoverable; and printed
material containing sensitive data should be destroyed in a safe and systematic
manner, such as shredding or burning. Furthermore, disposal procedures
should recognize that records stored on electronic media, including tapes,
and disk drives present unique disposal problems in that residual data
can remain on the media after erasure. Since that data can be recovered,
additional disposal techniques should be applied to remove sensitive information.