Information Security: Controls for Removing Sensitive Data from Select Media Devices Prior to Disposal Were Effective

OIG-17-1: Nov 2, 2016

Additional Materials:


Office of Inspector General
Tonya R. Ford
(202) 512-5748


This is a publication by GAO's Inspector General that concerns internal GAO operations. Our audit objective was to assess GAO’s compliance with its policies and procedures regarding media sanitization, and to determine whether laptops and BlackBerrys ready for disposal were appropriately sanitized.

What OIG Found

GAO employees rely heavily on information technology to support the Congress in meeting its constitutional responsibilities and to help improve the performance and ensure the accountability of the federal government for the benefit of the American people. When GAO information technology equipment is obsolete or no longer usable, it is important that the data stored on electronic media such as hard drives, disks, and embedded memory, cannot be retrieved or reconstructed after it has left GAO.
Special handling and controls are required to prevent the unauthorized access, use, or disclosure of sensitive GAO data, including personally identifiable information, to anyone without an official need-to-know. Such a breach could pose significant risks to GAO by reducing public trust, creating legal liabilities, or seriously harming individuals—leading to problems such as identity theft, blackmail, or embarrassment. An effective electronic media disposal process includes tracking and properly securing media, and applying effective media sanitization techniques where data is irreversibly removed from media or the media is permanently destroyed.
To achieve our audit objective, we identified and reviewed applicable policies, procedures, and best practices. We also interviewed staff within GAO’s Information Systems and Technology Services Customer Relations and Engineering and Operations groups and Property Branch. In addition, we tested laptops and BlackBerrys ready for disposal to determine if any readable data remained on the devices.
We determined that GAO policies and procedures for removal of sensitive data from excessed information technology equipment were effectively designed and implemented. Therefore, we are not making recommendations for corrective action. We shared our findings with GAO and obtained oral comments regarding our assessment of its compliance with media sanitization standards, which we incorporated, as appropriate.


Jul 17, 2018

May 22, 2018

May 21, 2018

Mar 26, 2018

Nov 22, 2017

Nov 9, 2017

May 23, 2017

Mar 9, 2017

Dec 20, 2016

Dec 16, 2016

Looking for more? Browse all our products here