Professional Documents
Culture Documents
Sanitization Standard
Content
1. Purpose ........................................................................................................................................ 3
2. Scope ............................................................................................................................................ 3
3. Change Control ........................................................................................................................... 3
4. Policy Deviation .......................................................................................................................... 3
5. Terms and Definitions ............................................................................................................... 3
6. Requirements for Sanitization ................................................................................................. 4
7. Recommended Sanitization method of Specific Media........................................................ 6
8. Approval ..................................................................................................................................... 12
2
Saudi Aramco: Company General Use
Document Responsibility: Information Security Department
SACS-011 | Issue Date: February 2021
1. Purpose
This standard defines the minimum requirements for ensuring that Company’s Data is
permanently removed from media before disposal or reuse to protect against unauthorized
access or disclosure.
2. Scope
This standard applies to all media assets owned, leased, operated or maintained by Saudi
Aramco.
3. Change Control
Changes made to the standard documentation will be highlighted using the following
labelling scheme.
A new standard or guideline that has been added and approved for
New
this release.
4. Policy Deviation
In the event compliance with security requirements is not feasible, policy deviation must
be requested from the Information Security Department (ISD) by submitting a CRM request.
3
Saudi Aramco: Company General Use
Document Responsibility: Information Security Department
SACS-011 | Issue Date: February 2021
General Requirements
SS 1.1 Physical assets (hard copy or electronic media) that hold company data must
be securely sanitized or physically destroyed before being loaned,
transferred, decommissioned, donated, surplused or disposed.
Media that cannot be sanitized must be destroyed. These include, but are
not limited to:
SS 1.2 a) microfiche and microfilm;
b) optical discs;
c) programmable read-only memory;
d) read-only memory;
e) faulty media device that cannot be sanitized.
SS 1.6
Records of sanitization must be maintained for verification and tracking.
4
Saudi Aramco: Company General Use
Document Responsibility: Information Security Department
SACS-011 | Issue Date: February 2021
General Requirements
SS 1.7
Labels or markings indicating the association of any media with Saudi Aramco
must be removed prior to disposal.
SS 1.8
Media devices must be secured to prevent loss or theft during preparation
and transportation to appropriate centers for disposal/sanitization.
S.1.9
United States National Security Agency (NSA) or the United Kingdom’s
National Cybersecurity Center certified degaussers must be used.
S.1.10
The degausser must render the media device permanently unusable.
S.1.12
Sanitization equipment and related process must be tested annually to
ensure data is irrevocably deleted from media devices.
S 1.13
Business, security and legal retention requirements must be complied with
prior to media sanitization.
5
Saudi Aramco: Company General Use
Document Responsibility: Information Security Department
SACS-011 | Issue Date: February 2021
• Delete all
Refer to the device
information
manufacturer (or
manually.
service provider, if
applicable) to
• Perform a full
identify whether the Shred, Disintegrate,
Cell phones, smart reset through the
device has a Purge Pulverize, or
phones, PDAs, device’s settings
capability that Incinerate by burning
tablets, and other menu (refer to
applies media- the device in a
mobile devices the device
dependent licensed incinerator.
manufacturer for
sanitization
the method of
techniques to ensure
restoring to
that data recovery is
factory default
infeasible.
settings).
(Use Destroy in
case Purge capability
is unavailable).
6
Saudi Aramco: Company General Use
Document Responsibility: Information Security Department
SACS-011 | Issue Date: February 2021
Overwrite media by
using organizationally
approved software Apply the SCSI Shred, Disintegrate,
and perform SANITIZE command Pulverize, or
verification on the by using the block Incinerate by burning
SCSI Solid State
overwritten data erase service. the device in a
Drives (SSSDs)
licensed incinerator.
The Clear pattern
should be at least a
single write pass with
a fixed data value.
Overwrite media by
using organizationally
approved software
and perform
Shred, Disintegrate,
verification on the
Pulverize, or
overwritten data
USB Removable Incinerate by burning
Media The Clear pattern Use destroy. the device in a
should be at least licensed incinerator.
two write passes, to
include a pattern in
the first pass and its
complement in the
second pass.
7
Saudi Aramco: Company General Use
Document Responsibility: Information Security Department
SACS-011 | Issue Date: February 2021
Using organizationally
approved software
and perform
verification on the Shred, Disintegrate,
overwritten data Pulverize, or
Incinerate by burning
Memory Cards The Clear pattern Use destroy. the device in a
should be at least
licensed incinerator.
two write passes, to
include a pattern in
the first pass and its
complement in the
second pass.
Re-record (overwrite)
all data on the tape
using an
Degauss in an Shred, Disintegrate,
organizationally
Reel and Cassette organizationally Pulverize, or
approved pattern,
Format Magnetic approved degausser. Incinerate by burning
using a system with
Tapes the device in a
similar
licensed incinerator.
characteristics to the
one that originally
recorded the data.
Shred, Disintegrate,
Overwrite media by Degauss in an
Pulverize, or
ATA & SCSI Hard using organizationally organizationally
Incinerate by burning
Disk Drives approved software approved automatic
the device in a
and perform degausser.
licensed incinerator.
8
Saudi Aramco: Company General Use
Document Responsibility: Information Security Department
SACS-011 | Issue Date: February 2021
verification on the
overwritten data.
The Clear pattern
should be at least a
single write pass with
a fixed data value.
(Use Destroy in
case Purge capability
is unavailable).
9
Saudi Aramco: Company General Use
Document Responsibility: Information Security Department
SACS-011 | Issue Date: February 2021
10
Saudi Aramco: Company General Use
Document Responsibility: Information Security Department
SACS-011 | Issue Date: February 2021
11
Saudi Aramco: Company General Use
Document Responsibility: Information Security Department
SACS-011 | Issue Date: February 2021
Approval
Khalid S. Al-Harbi
Chief Information Security Officer
12
Saudi Aramco: Company General Use