Skip to main content

Information Security: Controls for Removing Sensitive Data from Select Media Devices Prior to Disposal Were Effective

OIG-17-1 Published: Nov 02, 2016. Publicly Released: Nov 02, 2016.
Jump To:
Skip to Highlights



This is a publication by GAO's Inspector General that concerns internal GAO operations. Our audit objective was to assess GAO’s compliance with its policies and procedures regarding media sanitization, and to determine whether laptops and BlackBerrys ready for disposal were appropriately sanitized.

What OIG Found

GAO employees rely heavily on information technology to support the Congress in meeting its constitutional responsibilities and to help improve the performance and ensure the accountability of the federal government for the benefit of the American people. When GAO information technology equipment is obsolete or no longer usable, it is important that the data stored on electronic media such as hard drives, disks, and embedded memory, cannot be retrieved or reconstructed after it has left GAO.
Special handling and controls are required to prevent the unauthorized access, use, or disclosure of sensitive GAO data, including personally identifiable information, to anyone without an official need-to-know. Such a breach could pose significant risks to GAO by reducing public trust, creating legal liabilities, or seriously harming individuals—leading to problems such as identity theft, blackmail, or embarrassment. An effective electronic media disposal process includes tracking and properly securing media, and applying effective media sanitization techniques where data is irreversibly removed from media or the media is permanently destroyed.
To achieve our audit objective, we identified and reviewed applicable policies, procedures, and best practices. We also interviewed staff within GAO’s Information Systems and Technology Services Customer Relations and Engineering and Operations groups and Property Branch. In addition, we tested laptops and BlackBerrys ready for disposal to determine if any readable data remained on the devices.
We determined that GAO policies and procedures for removal of sensitive data from excessed information technology equipment were effectively designed and implemented. Therefore, we are not making recommendations for corrective action. We shared our findings with GAO and obtained oral comments regarding our assessment of its compliance with media sanitization standards, which we incorporated, as appropriate.


Full Report

GAO Contacts


Best practicesData storage devicesHard drivesInformation securityInformation technologyLaptopsUnauthorized accessPolicies and proceduresSensitive informationSensitive dataLaptop computersPersonally identifiable informationGAO policies and procedures