APPENDIX TO POLICY

Media Sanitization Standard

Objective

To prevent unauthorized access to University information, data must be permanently erased from devices (e.g., computer, server, laptop, multi-function printer, medical equipment, cell phone, etc.) or storage media (e.g., CD, thumb drive, workstation/server hard drives, etc.) prior to transfer, obsolescence, or when the hardware becomes no longer usable or needed. Effective Media Sanitization requires reasonable efforts to prevent recovery of residual stored data on the media.

Security Controls

Media Sanitization

The following table defines the baseline security controls for media sanitization.

Control Security Level Status
ID Description High Medium Low
MS.A.01Device/media is leaving the unit: use a secure wiping tool to clear/overwrite the data or use the University approved disposal vendorRequired 1RequiredRequired 
MS.A.02Device/media is leaving the University: physically destroy the hard drive or request physical destruction from the University approved disposal vendorRequiredRecommendedOptional 
MS.A.03Device/media is remaining under the unit's control: use a secure wiping tool to clear/overwrite the dataRequiredRequiredOptional 
MS.A.04Document and retain a record of the data removal/destructionRequiredRecommendedOptional 

1 Secure wiping/clear of data is optional if you maintain chain of custody for the hard drive until an approved disposal vendor accepts the hard drive for physical destruction.

Resources Covered

This applies to IT resources owned or contracted by the University. This also applies to personally owned devices authorized to store University data designated as private-highly restricted or private-restricted .

Individuals Covered

This applies to University community members who use or manage University IT resources.

Related Information

More information on Media Sanitization

Published Date

  • November 2014

Document Feedback