National Institute of Standards and Technology, NIST Special Publication 800-88
The key in deciding how to manage media in an organization is to first consider the information, then the media type. The security categorization of the information, along with internal environmental factors, should drive the decisions on how to deal with the media. Again, the key is to first think in terms of information confidentiality, then by media type. In organizations, information exists that is not associated with any categorized system. This information is often hard copy internal communications such as memoranda, white papers, and presentations. Sometimes this information may be considered sensitive. Examples may include internal disciplinary letters, financial or salary negotiations, or strategy meeting minutes. Organizations should label these media with their internal operating classifications and associate a type of sanitization described in this publication. There are different types of sanitization for each type of media. We have divided media sanitization into four categories: disposal, clearing, purging and destroying. Disposal exists where media are just tossed out with no special disposition given to them. Some media can be simply disposed if information disclosure would have no impact on organizational mission, would not result in damage to organizational assets, would not result in financial loss or would not result in harm to any individuals. Disposal is mentioned to assure organizations that all media does not require sanitization and that disposal is still a valid method for handling media containing non-confidential information. Since disposal is not technically a type of sanitization, it will not be mentioned or addressed outside of this section. Companies must put in place plans to securely erase data or destroy it.