Policy 390: Equipment Disposal provides the requirements and responsibilities pertaining to disposal of IT equipment.

Form 390F1: Affidavit of Media Sanitization, a formal statement required by the State Auditor, certifies to the Surplus Property Division of the Alabama Department of Economic and Community Development (ADECA), or other receiving state agency or entity, that the electronic storage media of information systems being turned in for reuse or sale as surplus has been sanitized of all data. This form may be used immediately. The previous version titled Electronic Media Sanitization Declaration is obsolete.

Form 390F2: Record of Media Sanitization is a detailed record of actions taken to sanitize the electronic storage media of any salvaged equipment. Use this form when sanitizing storage media that previously contained sensitive or confidential data. This form may be used as is or modified to suit agency requirements. Alternatively, sanitization details may be recorded electronically (in a database or spreadsheet for example). The form is modeled after the sample Certificate of Sanitization form found in NIST SP 800-88: Guidelines for Media Sanitization. Required elements (indicated by *) are required by IRS Publication 1075 and apply to any equipment that may have previously stored or processed Federal Tax Information (FTI). This form is new. A fillable version of this form will be available soon.

Risks addressed in these documents include:

  • Protect data confidentiality when systems are retired or repurposed.
  • Prevent data loss by sanitizing surplus equipment to remove sensitive data.
  • Ensure that sensitive data is not unintentionally released.

This policy addresses NIST SP800-53R4 (and IRS Pub. 1075) security controls:

  • MP-6: Media Sanitization
  • MP-6 (CE1): Media Sanitization – Review / Approve / Track / Document / Verify

View or Download:

DRAFT Policy 390: Equipment Disposal
Form 390F1: Affidavit of Media Sanitization
DRAFT Form 390F2: Record of Media Sanitization