Media and IT equipment is declassified and approved by the CISO, or delegate, for release before disposal into the public domain.

]]> This section covers information relating to the disposal of media and IT equipment. Further information relating to the disposal of IT equipment can be found in Section 12.6 - Product Sanitisation and Disposal.

]]> NZEO endorsed material requires additional protection at every level of classification.

]]> In general terms, media and IT equipment containing NZEO material should be sanitised and redeployed or sanitised and destroyed in accordance with the procedures in this section. Media and IT equipment that has contained NZEO material must not be disposed of, to e-recyclers or sold to any third party.

]]> Note the discussion in section 13.4 - Media and IT equipment sanitisation, on the challenges and difficulties in effectively sanitising media of all types.

]]> Prior to its disposal, media and IT equipment needs to be declassified to ensure that classified information is not accidentally released into the public domain.

]]> Agencies MUST declassify all media and IT equipment prior to disposing of it into the public domain.

]]> Media and IT equipment that cannot be effectively sanitised or declassified MUST be destroyed and not released into the public domain.

]]> The following diagram illustrates the mandated disposal process. Note declassification describes the entire process, including any reclassifications, approvals and documentation, before media and media waste can be released into the public domain.

]]> Agencies MUST document procedures for the disposal of media and IT equipment.

Media Disposal Process Outline Diagram

]]> The process of reclassifying, sanitising or destroying media does not provide sufficient assurance for media to be declassified and released into the public domain. In order to declassify media, formal administrative approval is required before releasing the media or waste into the public domain.

]]> Agencies declassifying media MUST ensure that:

the reclassification of all classified information on the media has been approved by the originator, or the media has been appropriately sanitised or destroyed; and
formal approval is granted before the media is released into the public domain.

]]> Disposing of media in a manner that does not draw undue attention ensures that media that was previously classified is not subjected to additional scrutiny over that of regular waste. This can include the removal of labels, markings and serial numbers.

]]> Agencies MUST dispose of media in a manner that does not draw undue attention to its previous classification.

]]> NZEO endorsed material requires additional protection at every level of classification and creates a special case in the destruction and disposal process.

]]> Media and IT equipment that has contained NZEO material MUST be sanitised and redeployed or sanitised and destroyed in accordance with the procedures in this chapter.

]]> For disposal of all NZEO endorsed materials, an approved destruction facility MUST be used.

]]> Media and IT equipment that has contained NZEO material MUST NOT be disposed of via e-recyclers or sold to any third party.

]]> An approved secure destruction facility may be agency-owned or a commercial facility.

]]> A number of regulatory and legislative requirements including those relating to health, safety, environmental protection, hazardous materials handling disposal and export, will have to be met by any such facility.

]]> It may not be economically viable for individual agencies to own and maintain such facilities. In such cases the use of a commercial facility may be the only practical alternative.

]]> To ensure secure destruction facilities have the capability, capacity and equipment to securely destroy media and IT equipment to the specifications detailed in the NZISM, a formal approval is required. An inspection of the facility and any necessary testing of the equipment will determine suitability for operation as a secure destruction facility. If the results of the inspection and testing are satisfactory, a formal approval is issued. Periodic re-inspections are conducted to ensure on-going compliance with the NZISM requirements.

]]> Commercial organisations may apply to the GCSB for approval as a secure destruction facility under the NZISM.

]]> The Director-General of the GCSB will issue such approvals if satisfied that the standards detailed in the NZISM have been satisfactorily been met and can be maintained.

]]> Where agencies establish their own disposal/destruction facilities, these facilities MUST be approved by the Director-General GCSB.

]]> Agencies may not have the facilities to securely dispose of media and IT equipment to the specifications detailed in the NZISM (Refer to 13.5.7 Media and IT Equipment Destruction and 13.5.9 Storage and handling of media waste particles). In these circumstances the use of an approved secure disposal or destruction facility (agency owned or a commercial facility) is permitted provided all other procedures in this Chapter are followed.

]]> The GCSB maintains a register of approved secure disposal/destruction facilities.

]]> In practical terms this requires tracking, supervision and oversight (witnessed) to the point where the disposal/destruction process is complete. Procedures are detailed in Section 13.5 - Media and IT Equipment Destruction.

]]> Agencies MUST use an approved secure disposal/destruction facility for the destruction of media and IT equipment.

]]>