← Controls / MP

MP-06 Media Sanitization And Disposal

Media Protection

Low Moderate High Privacy

Description

The organization sanitizes information system media, both digital and non-digital, prior to disposal or release for reuse.

Supplemental Guidance

Sanitization is the process used to remove information from information system media such that there is reasonable assurance, in proportion to the confidentiality of the information, that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, and destroying media information, prevent the disclosure of organizational information to unauthorized individuals when such media is reused or disposed. The organization uses its discretion on sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on the organization or individuals if released for reuse or disposed. NIST Special Publication 800-88 provides guidance on media sanitization. The National Security Agency also provides media sanitization guidance and maintains a listing of approved sanitization products at http://www.nsa.gov/ia/government/mdg.cfm.

Changes from Rev 4

Removes ‘in accordance with applicable federal and organizational standards and policies’ from control text Discussion adds reference to NARA Incorporates media sanitization elements of withdrawn App J control DM-02

Compliance Mappings

ISO 27001:2022

A.7.10A.7.14A.8.10

ISO 27002:2022

7.107.148.10

COBIT 2019

APO14BAI09

CIS Controls v8

CIS 15.7CIS 3CIS 3.5CIS 4.11

NIST CSF 2.0

GV.SC-10ID.AM-08

SOC 2 TSC

CC6.5

PCI DSS v4.0.1

9.4

CSA CCM v4

CEK-14DCS-01DSP-02DSP-16UEM-13

CSA AICM v1

CEK-14DCS-01DSP-02DSP-16UEM-13

FINOS CCC

CCC-C16

ISO 42001:2023

A.4.3

MAS TRM

11

BSI IT-Grundschutz

CON.6

ANSSI

Hygiene.19SecNumCloud.9.3

FINMA Circular 2023/1

IV.D(78)IV.E(83)IV.E(84)

OSFI B-13

B-13.3.2

EU GDPR

Art.17(1)Art.32(1)(a)Art.5(1)(f)

EU DORA

Art.9(4)(b)

BIO2

7.107.148.10

RBI CSF

Annex1.12

FISC Security Guidelines

FISC.F4FISC.O9

LGPD + BCB 4893

LGPD.Art.15-16

HKMA TM-E-1

TME1.7.2

MLPS 2.0

8.1.10.18.1.4.10

DNB Good Practice

DNB.12.2

EU CRA

CRA.I.2mCRA.Info.8d

SAMA CSF

3.9

NCA ECC

2-7

UAE IA

T4

CBB TM

TM-9

Qatar NIA

AM

CBUAE

CR-5

CBE CSF

CTO-2

SA JS2

JS2-8.2

CBN CSF

Part3.4

BoG CISD

CISD-V

POPIA

s14s19

CPMI-IOSCO PFMI

CG.PR

FFIEC IS

II.C.13II.C.13(c)

NYDFS 500

500.13

HIPAA Security Rule

§164.310(d)(1)§164.310(d)(2)(i)§164.310(d)(2)(ii)

ECB CROE

CROE.2.3.3

SEBI CSCRF

PR.DS

BOT Cyber Resilience

Ch2.3

CMMC 2.0

MP

NERC CIP

CIP-011-3

10 CFR 73.54

RG5.71-B-MA

PCI PTS v6

K

FIPS 140-3

FIPS 140-3 §7.9

CBEST

CBEST.9

TIBER-EU

TIBER.CONF

PCI HSM

5

Common Criteria

CC Part 2 — FDP

Solvency II

DR.266-DataSec

Lloyd's Minimum Standards

MS8.7

NAIC Insurance Data Security

4-asset4B

PRA SS1/23

P5.5

HITRUST CSF v11

06.b09.f

FDA Cybersecurity Guidance

SA-4

OWASP MASVS v2.1

MASVS-STORAGE-1

CCSS v9.0

2.02.12.02.22.02.3

MiCA

Art.62(9)

Basel SCO60

SCO60.63

BSSC Standards

GSP-09

ISO 17799 (legacy)

9.2.610.7.110.7.2

COBIT 4.1 (legacy)

DS11.4DS11.6