3.2.9 Computer Media Disposal
Purpose
The purpose of this procedure is to provide guidelines for the proper disposal of computer media (computer desktops, laptops, tablets, hard drives, and other storage devices). Piedmont University may store sensitive information on computer hard drives and other forms of electronic media. As this media reaches the end of its useful life, sensitive information on the media must be destroyed appropriately.
Procedure
Improperly disposing of computer media may expose the college to security breaches and inappropriate information disclosure risks.
- General
The transfer or disposal of data processing equipment, such as computers and computer media, shall be controlled and managed according to the latest National Institute of Standards and Technology (NIST) Guidelines for Media Sanitization. Simply deleting the data and/or formatting the disk does not prevent individuals from restoring data. Sanitization of the media removes information so that data recovery using standard techniques or analysis is significantly reduced or prevented.
- Data Disposal Procedures
All computer desktops, laptops, tablets, hard drives, and other storage devices that contain college data must be processed through The Office of Information Technology for proper disposal.
OIT shall ensure processes and/or procedures exist and are followed that:
- Address the evaluation and disposal of sensitive information, hardware, and electronic media regardless of media format or type.
- Specify procedures for making sensitive information unusable and inaccessible. These procedures should specify the use of technology (e.g., software, special hardware, etc.) or physical destruction mechanisms to ensure that sensitive information is unusable, inaccessible, and unable to be reconstructed.
- Authorize personnel to dispose of sensitive information or equipment. Such procedures may include shredding, incinerating, or pulp of hard copy materials so that sensitive information cannot be reconstructed. Approved disposal methods include the following for Electronic Media (such as physical disks, tape cartridges, CDs, flash drives, printers, copier hard drives, etc.).
- Physical Destruction – implies the destruction of media through crushing or disassembling the asset and ensuring no data can be extracted or recreated.
IT documentation, hardware, and storage used to process, store, or transmit Restricted or Sensitive information shall not be released into general surplus until it has been sanitized and all stored information has been cleared using one of the above methods.
Data processing equipment that accesses, stores, processes, transmits, or receives sensitive data may only be sent to sanitization, disposal, or destruction service providers who have agreed, in writing, to:
- Maintain the confidentiality of information.
- Destroy, sanitize, or return any equipment or components that are still capable of storing information in accordance with college policy.
- Account for each asset to the point of sanitization or destruction and disposal.
- Certify that it has disposed of the asset in accordance with the requirements of this policy.
- Audit Controls and Management
Documented procedures and evidence of practice should be in place for this administrative procedure.
- Enforcement
Employees found in policy violation may be subject to disciplinary action.
- Reference
Data Classification and Handling
SP 800-88 Rev. 1, Guidelines for Media Sanitization | CSRC (nist.gov)