CPCSC 03.08.03: Media sanitization Control Guide

Formal Control Language

Official CPCSC Level 1 wording for 03.08.03. Use the Government of Canada page as the source of truth for certification or procurement submissions.

System media containing specified information is sanitized prior to disposal, release from organizational control, or release for reuse.

Contains information sourced from Government of Canada material used under the Open Government Licence - Canada.

What This Means In Plain English

If a drive, laptop, phone, USB stick, printer, backup, or other storage media may contain specified information, it cannot simply be thrown away, sold, donated, or reused without sanitization.

The point is to prevent old storage from becoming an accidental data breach.

For CPCSC Level 1, the useful test is not whether a policy mentions the control. The useful test is whether an owner can show the system setting, record, ticket, review output, or operating routine that proves the answer is true today and can be repeated when the next contract, customer, or assessment request arrives.

How To Implement It

1

Define which media types can store specified information: laptops, phones, USB drives, SSDs, hard drives, backups, printers, network appliances, and cloud exports.

2

Use approved wipe, crypto-erase, destruction, or certified disposal methods. Match the method to the media type and sensitivity.

3

Record asset ID, owner, serial number, sanitization method, date, approver, and disposal vendor if used.

4

Require sanitization before reassignment, return to vendor, repair, donation, sale, recycling, or disposal.

5

Connect the process to asset management and offboarding so media is not missed when staff leave or devices are replaced.

Evidence Normally Gathered

Sanitization procedure.

Media disposal or destruction log.

Certificates of destruction from vendors.

Asset inventory showing retired devices.

Wipe tool results or screenshots.

Return-to-vendor or repair approval records.

Common Auditor Questions

How do you know which media may contain specified information?

What sanitization method is used for laptops, removable drives, and cloud exports?

Show me a recent disposal or reassignment record.

Who approves media leaving company control?

What happens when a device is lost or cannot be sanitized?

Related Controls

03.05.02

Device identification and authentication

Identify and approve the devices that can connect to systems or networks where specified information is stored, processed, or accessed.

03.10.07

Physical access control

Use locks, badges, visitor controls, logs, and safeguards to prevent unauthorized physical access to systems and specified information.

03.01.20

Use of external systems

Control when personal devices, third-party systems, customer systems, contractor tools, and external cloud services can touch specified information.

03.01.22

Publicly accessible content

Prevent specified information from being accidentally published on websites, social media, proposals, case studies, job postings, or public repositories.