Disposal of Media

“Disposal of media” sounds straightforward until you face an assessor asking how you know a decommissioned server drive, an old backup tape, or a box of printed medical records cannot be reconstructed. HITRUST CSF v11 09.p is a requirement-level control: dispose of media securely and safely when it is no longer required, using formal procedures, and apply disposal methods appropriate to data sensitivity so the information cannot be recovered (HITRUST CSF v11 Control Reference).

For a CCO or GRC lead, the fastest path is to treat media disposal as a closed-loop process with evidence at each step: identify media that contains sensitive data, authorize disposal, maintain chain-of-custody, sanitize or destroy using approved methods, and record outcomes. The operational challenge is less about picking a shredding technique and more about governance: consistent classification, asset tracking, third-party oversight, and a defensible record that the organization followed its own procedure every time.

This page gives requirement-level implementation guidance you can put into a policy, a runbook, and an audit binder without adding fluff.

Regulatory text

Requirement (excerpt): “Media shall be disposed of securely and safely when no longer required, using formal procedures. Secure disposal procedures shall ensure that sensitive information cannot be recovered from disposed media, with methods appropriate to the sensitivity level of the data.” (HITRUST CSF v11 Control Reference)

What the operator must do:

1. Establish and maintain documented media disposal procedures.
2. Ensure disposal prevents recovery of sensitive information (not just “deleted”).
3. Choose sanitization/destruction methods based on data sensitivity, and apply them consistently.
4. Keep records that prove the procedure was followed.

Plain-English interpretation

You must control end-of-life handling for any media that could contain sensitive information. “Dispose of” includes throwing away, recycling, donating, returning leased equipment, sending devices for repair, and using third parties for shredding or e-waste. The requirement expects a formal process (not tribal knowledge) and an outcome-based standard: sensitive data must be non-recoverable after disposal (HITRUST CSF v11 Control Reference).

Who it applies to

Entity scope: All organizations seeking alignment with HITRUST CSF (HITRUST CSF v11 Control Reference).

Operational scope (where this shows up in real life):

• IT operations: decommissioned servers, storage arrays, endpoints, removable media, lab devices, network gear with storage.
• Security operations: incident-driven device collection, forensic copies, quarantine media, secure wipe tooling.
• Facilities/records management: paper records, printed reports, mailroom returns, offsite storage purge events.
• Backup/DR: tapes, external drives, legacy backup appliances, cloud backup export jobs.
• Third parties: e-waste recyclers, shredding services, data center providers, managed service providers, device refurbishment partners.

Media types to explicitly cover in scope statements:

• Physical paper: charts, call notes, printed claims, IDs, mailing labels, badges.
• Magnetic/optical: tapes, CDs/DVDs (including old archives).
• Solid-state storage: SSDs, NVMe, USB drives, memory cards, mobile devices.
• Embedded storage: printers/copiers, VoIP phones, scanners, biomedical devices, firewalls that log to internal storage.

What you actually need to do (step-by-step)

1) Define “media” and sensitivity tiers in your procedure

Write down what media types your procedure governs and map them to your internal data classification scheme. HITRUST’s requirement hinges on “methods appropriate to the sensitivity level of the data” (HITRUST CSF v11 Control Reference). If you cannot show how sensitivity drives method choice, assessors tend to treat the program as ad hoc.

Deliverable: Media Disposal Standard or Procedure, with a clear scope section and a “method selection” table.

2) Assign accountable owners and decision rights

Set ownership for:

• Approval to dispose: typically asset owner or system owner.
• Execution: ITAD team, IT ops, Facilities, or a managed provider.
• Oversight: Security/GRC validates methods and evidence.

Include a rule for exceptions (e.g., if a device must leave premises for warranty repair).

Deliverable: RACI embedded in the procedure, plus a ticket workflow that records approvals.

3) Control the “no longer required” trigger

Create triggers so media does not sit in limbo:

• Asset decommissioning
• User offboarding and device refresh
• Application retirement and archive decisions
• Records retention schedules reaching end-of-life

Tie the trigger to a work order or ticket category so disposal events become trackable.

Deliverable: Ticket types/queues and a retention/disposal decision record (even a simple form).

4) Maintain chain-of-custody from collection to destruction

You need a defensible story for where the media was, who had it, and when it changed hands. In practice this means:

• Sealable bins or locked consoles for paper
• Secure storage cage for drives awaiting destruction
• Check-in/check-out logs
• Tamper-evident containers for transport
• Explicit handoff documentation to any third party

Deliverables: Chain-of-custody log template; secure storage location list; bin service schedule.

5) Use approved sanitization/destruction methods that make data non-recoverable

The control is outcome-based: sensitive information cannot be recovered after disposal (HITRUST CSF v11 Control Reference). Your procedure should specify which actions meet that bar for each media type and sensitivity tier.

A practical way to express this is a decision matrix:

Media type	Data sensitivity	Approved method (examples)	Evidence you must capture
Endpoint HDD/SSD	Sensitive/regulated	Cryptographic erase where supported; otherwise physical destruction via shred/crush	Wipe log or destruction certificate tied to serial/asset tag
Backup tapes	Sensitive/regulated	Third-party destruction or verified degauss + destruction	Certificate listing tape IDs; transport chain-of-custody
Paper records	Sensitive/regulated	Cross-cut shredding or contracted shredding with locked consoles	Shred service manifest; pickup logs; certificate of destruction
Printers/copiers with storage	Sensitive/regulated	Remove and destroy internal storage; or sanitize via manufacturer-supported process	Work order notes + serial mapping

Your actual approved methods can differ; what matters is that they are documented, consistently applied, and appropriate to sensitivity (HITRUST CSF v11 Control Reference).

6) Manage third parties as part of the control (not as a handoff)

If a third party destroys or sanitizes media, your procedure must still control:

• Selection and onboarding criteria (they can meet your disposal requirements)
• Contract terms for destruction, confidentiality, and record retention
• Evidence you receive (certificate/manifests with identifiers)
• Your verification steps (spot checks, periodic reviews)

Keep it simple: require traceability to your asset IDs and require prompt notification of any loss during transport.

Deliverables: Third-party disposal addendum/contract language; evidence intake checklist; review cadence in your third-party oversight process.

7) Record, reconcile, and review

Auditors expect that disposed media is reconciled to inventory. Build a monthly or quarterly reconciliation between:

• Asset inventory (retired status)
• Disposal tickets
• Certificates/logs received
• Exceptions and open items

Deliverables: Reconciliation report; exception register; corrective actions.

Required evidence and artifacts to retain

Keep evidence in a form an assessor can sample and trace end-to-end.

Policy/procedure artifacts

• Media Disposal Policy/Standard/Procedure with scope, roles, and method selection logic (HITRUST CSF v11 Control Reference)
• Data classification and records retention references used to determine sensitivity and “no longer required” status

Operational records

• Disposal requests/tickets with approvals
• Chain-of-custody logs (internal transfers and third-party handoffs)
• Sanitization logs (tool output, wipe verification results) tied to unique device identifiers
• Certificates of destruction and manifests listing asset tags/serial numbers
• Inventory updates showing asset retired/disposed status and date
• Exception records (lost devices, failed wipes, urgent removals) and remediation notes

Third-party oversight

• Contract language or SOW requirements for secure disposal evidence
• Evidence intake and review records (who reviewed certificates, when, and what mismatches were resolved)

Common exam/audit questions and hangups

Expect these questions, and prepare “show me” artifacts:

1. “Define media. Are printers/copiers in scope?”
   Common hangup: teams only cover laptops and paper shredding. Fix with a scoped list and owner assignments.

2. “How do you decide the disposal method based on sensitivity?”
   Hangup: no mapping from classification to method. Fix with a short decision matrix in the procedure.

3. “Prove the data is non-recoverable.”
   Hangup: “we deleted files” is not a control. Fix by requiring wipe verification logs or destruction certificates.

4. “Show chain-of-custody for these sampled assets.”
   Hangup: evidence exists but cannot be tied to a serial number or asset tag. Fix by making identifiers mandatory fields.

5. “How do you oversee your shredding/e-waste provider?”
   Hangup: “they’re reputable” without artifacts. Fix with contract requirements and periodic evidence reviews.

Frequent implementation mistakes (and how to avoid them)

• Mistake: Treating disposal as an IT-only process.
  Avoid it by including Facilities/Records and Procurement/Third-Party Risk in the workflow and RACI.

• Mistake: Certificates of destruction that don’t list identifiers.
  Avoid it by requiring serial/asset tag/tape ID on every certificate and rejecting evidence that cannot be reconciled.

• Mistake: No process for “temporary storage pending disposal.”
  Avoid it by defining secure holding areas, labeling requirements, and maximum holding rules in operations (express it as “as soon as practical” if you cannot commit to a specific time).

• Mistake: Exceptions are handled offline.
  Avoid it by forcing exception tickets and a short post-incident review step, especially for lost media in transit.

• Mistake: Media leaves premises for repair with no controls.
  Avoid it by requiring sanitization before shipment where feasible, or documented compensating controls and third-party terms.

Enforcement context and risk implications

No public enforcement cases were provided in the supplied source catalog for this requirement. Even without enforcement examples, the risk is direct: improperly disposed media can produce reportable data exposure, contractual breaches with customers/partners, and loss of confidence in your security program. The requirement’s “non-recoverable” standard is designed to reduce the chance that discarded or resold equipment becomes an incident.

Practical 30/60/90-day execution plan

First 30 days: Stabilize and document

• Publish a media disposal procedure that defines in-scope media, roles, and approved method selection by sensitivity (HITRUST CSF v11 Control Reference).
• Stand up a single intake mechanism (ticket/work order) for all disposal events.
• Identify your top disposal pathways (device refresh, decommissioned servers, paper shredding) and require evidence collection for them immediately.
• Inventory the third parties involved in disposal and confirm you can obtain itemized destruction evidence.

Days 31–60: Make it traceable

• Add mandatory fields to tickets: asset tag/serial, data sensitivity, method chosen, approver, disposition date.
• Implement chain-of-custody logs and secure holding controls.
• Start a recurring reconciliation between inventory and disposal evidence; track mismatches as exceptions.
• Update third-party contracts/SOWs to require non-recoverable disposal and itemized certificates/manifests.

Days 61–90: Prove repeatability

• Run an internal sampling exercise mirroring an audit: pick disposed assets and trace from inventory to certificate/log.
• Fix the top failure modes found (missing identifiers, incomplete logs, uncontrolled handoffs).
• Train IT ops, Facilities, and service desk on the workflow and what evidence must be attached.
• If you need scale and consistency, evaluate tooling to manage evidence collection and third-party attestations; many teams use Daydream to centralize control procedures, evidence requests, and third-party due diligence artifacts in one place.

Frequently Asked Questions

Does “media” include cloud storage or SaaS data?

This requirement focuses on disposal of media, which is typically physical or logical storage you can sanitize or destroy. If you export data to files, backups, or removable storage during migrations, those artifacts become “media” in practice and should follow your disposal procedure (HITRUST CSF v11 Control Reference).

Are we compliant if we just “factory reset” laptops before recycling?

Only if your procedure defines factory reset as sufficient for the data sensitivity and you can show it makes the information non-recoverable (HITRUST CSF v11 Control Reference). Many programs require stronger, verifiable sanitization or physical destruction for sensitive data.

What evidence do auditors actually accept for secure disposal?

Auditors look for traceable evidence: wipe logs or certificates of destruction that list serial numbers/asset tags, plus chain-of-custody records and inventory updates. Evidence that cannot be tied to a specific asset often gets rejected during sampling.

How do we handle leased equipment or devices being returned to a manufacturer?

Treat returns as disposal events with chain-of-custody. Document required sanitization before return where feasible, and retain proof of sanitization plus shipment and handoff records.

Can we outsource destruction to a third party and be done?

You can outsource the action, not the accountability. Your program still needs formal procedures, contract requirements, and evidence review to confirm the third party’s process meets the “non-recoverable” expectation (HITRUST CSF v11 Control Reference).

What should we do if we cannot sanitize a failed drive?

Document it as an exception and default to physical destruction through an approved method. Record the asset identifier, the reason sanitization failed, and the destruction evidence so the file still proves non-recoverability (HITRUST CSF v11 Control Reference).