Appendix
Sidebar
Table of Contents
Questions?
Please use the contact section in the governing policy.
Objective
To prevent unauthorized access to University information, data must be permanently erased from devices (e.g., computer, server, laptop, multi-function printer, medical equipment, cell phone, etc.) or storage media (e.g., CD, thumb drive, workstation/server hard drives, etc.) prior to transfer, obsolescence, or retirement of hardware. Effective media sanitization requires reasonable efforts to prevent recovery of residual stored data on the media. Paper containing University information must also be securely disposed of.
Security Controls
Media Sanitization
The following table defines the baseline security controls for media sanitization.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| MS.A.01 | Device/media is leaving the unit: use a secure wiping tool to clear/overwrite the data in accordance with industry-accepted methods for the media or use the University approved disposal vendor | Required 1 | Required | Required |
| MS.A.02 | Device/media is leaving the University: physically destroy the hard drive or request physical destruction from the University approved disposal vendor | Required | Recommended | Optional |
| MS.A.03 | Device/media is remaining under the unit's control: use a secure wiping tool to clear/overwrite the data in accordance with industry-accepted methods for the media | Required | Required | Recommended |
| MS.A.04 | Crosscut shred, incinerate, or pulp paper materials containing private- highly restricted or private-restricted data | Required Effective July 2019 | Required Effective July 2019 | Required Effective July 2019 |
| MS.A.05 | Physically secure storage bins holding paper materials containing private-highly restricted or private-restricted data (e.g., locked office) | Required Effective July 2019 | Required Effective July 2019 | Required Effective July 2019 |
| MS.A.06 | Periodically review media sanitization procedures (suggest: annual) | Required Effective July 2019 | Recommended | Recommended |
| MS.A.07 | Document and retain a record of electronic data removal/destruction | Required | Required Effective July 2019 |
Optional |
1Secure wiping/clear of data is optional if you maintain chain of custody for the hard drive until an approved disposal vendor accepts the hard drive for physical destruction.
Resources Covered
This standard applies to IT resources owned or contracted by the University. This also applies to personally owned devices authorized to store University data designated as private-highly restricted or private-restricted.
Individuals Covered
This applies to University community members who use or manage University IT resources.
Related Information
- More information on Media Sanitization
- How to use the information security standards
- See the Information Security policy appendices for additional information security standards that also apply to media sanitization.
Published Date
November 2014
Last Reviewed
April 2019