DATA-15

Do you have a media handling process that is documented and currently implemented that meets established business needs and regulatory requirements, including end-of-life, repurposing, and data-sanitization procedures?

Explanation

This question is asking whether your organization has a formal, documented process for handling media (such as hard drives, USB drives, backup tapes, etc.) throughout its lifecycle. Media handling includes how you manage, store, transport, and eventually dispose of storage media that contains data. The question specifically asks about: 1. Documentation - Is the process written down in policies or procedures? 2. Implementation - Is the process actually being followed, not just documented? 3. Business needs alignment - Does it meet your organization's requirements? 4. Regulatory compliance - Does it satisfy relevant laws and regulations? 5. End-of-life procedures - How you handle media when it's no longer needed 6. Repurposing procedures - How you handle media that will be reused for different purposes 7. Data sanitization - How you ensure data is properly erased/destroyed This question is asked in security assessments because improper media handling can lead to data breaches. For example, if a hard drive containing sensitive data is discarded without proper sanitization, someone could retrieve it and access the data. Similarly, if media is transported without proper security controls, it could be lost or stolen. To best answer this question: 1. Describe your documented media handling policy/procedure 2. Explain how it's implemented in practice 3. Reference specific sanitization standards you follow (like NIST SP 800-88) 4. Mention any relevant regulatory requirements you meet 5. Describe verification methods to ensure procedures are followed 6. Include details about how you handle different types of media

Example Responses

Example Response 1

Yes, our organization maintains a comprehensive Media Handling Policy that is documented in our Information Security Management System (ISMS) This policy covers the complete lifecycle of all media types including acquisition, use, storage, transport, and disposal For end-of-life handling, we follow NIST SP 800-88 guidelines for media sanitization, employing different methods based on media type and data sensitivity Hard drives undergo a 7-pass DoD-compliant wipe followed by physical destruction through a certified e-waste vendor who provides certificates of destruction For media repurposing, we have documented procedures requiring full sanitization before reassignment Our process includes tracking of all media through asset tags in our CMDB, with chain of custody documentation for media containing regulated data (PCI DSS, HIPAA, etc.) We conduct quarterly audits of our media handling procedures to ensure compliance, and all staff handling media receive annual training on these procedures This process satisfies our business continuity requirements and complies with relevant regulations including GDPR, HIPAA, and PCI DSS.

Example Response 2

Yes, we have implemented a formal Media Management Procedure as part of our ISO 27001-certified security program Our procedure addresses the complete media lifecycle and is reviewed annually For data sanitization, we use BitLocker encryption on all storage devices, ensuring that cryptographic erasure is effective when encryption keys are destroyed Physical media is destroyed using our on-site industrial shredder for which we maintain destruction logs with dual-employee verification signatures For media repurposing within the organization, we have a documented process requiring IT department verification of complete data removal before reassignment Our procedure includes specific handling requirements for different data classification levels, with the most stringent controls applied to media containing customer PII or financial information We conduct monthly spot checks of our media disposal process and maintain an auditable chain of custody for all media from acquisition to destruction This process has been validated during our annual SOC 2 Type 2 audit and meets requirements for CCPA, HIPAA, and FedRAMP Moderate compliance.

Example Response 3

No, we currently do not have a fully documented media handling process While we do have some informal practices in place, such as instructing IT staff to wipe hard drives before disposal, these practices are not consistently documented or enforced across the organization We recognize this as a gap in our security program and are actively working to develop a comprehensive media handling policy We have drafted initial procedures for end-of-life handling and data sanitization based on NIST guidelines, but these have not yet been formally approved or implemented We expect to have a complete media handling process documented and implemented within the next 90 days, including staff training and audit procedures In the interim, our IT director personally oversees the handling of any media containing sensitive data to minimize risk We understand this is an important control for protecting data confidentiality and are prioritizing the development of proper procedures.

Context

Tab
Product
Category
Data

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron