III-5a Media Sanitization Procedure

Approved by: Office of the President
Date approved by President or Board of Trustees: November 30, 2009
Effective date: November 30, 2009
Responsible Official: UTech Security and Policy
Responsible University Office: UTech Security and Policy
Revision History: 2
Related legislation and University policies: None
Review Period: 3 Years
Date of Last Review: July 26, 2024
Relates to: Faculty, Staff

Summary

Media, both electronic and paper format, contains Institutional Data, and must be protected from unauthorized access. This policy is to establish standard risk protocol for the cleanup of data storage media (e.g. hard drives) in desktop, laptop, and server computer hardware prior to system decommissioning or donation.

Purpose

The desired outcome of the procedure is to provide documented assurance that any data classified as "Internal Use Only" or "Restricted" do not persist on decommissioned computer hardware or data storage media. Note that university-contracted computer recycling vendors also follow an accepted data purge procedure.

Before purging data from desktops or laptop computers in key business areas (e.g. HR, Finance, etc.) contact University Counsel to determine if a litigation hold exists for any data in the referenced computer or IT system. Devices and media under Litigation Hold should be retained and stored with UTech Security and Policy Office directions. Continue with the procedure if no hold exists

Institutional Data classified as Internal Use Only OR Restricted must be permanently erased or purged from devices (e.g., computer, server, laptop, multi-function printer, medical equipment, cell phone, digital communications equipment) or storage media (e.g., CD, USB drive, workstation/server hard drives, external hard drives) prior to transfer within the university or other disposition. Effective media sanitization requires the application of certified techniques to prevent recovery or reconstruction of residual stored data on the media appropriate to the classification level of the data and type of media.

In instances where secure erasure is not possible (e.g., hard drive is inoperable), storage media should be physically destroyed using a NIST 800-88 certified physical destruction method. CWRU UTech maintains a contract with a third-party vendor, which units can use, for a fee, to physically destroy hard drives and receive a Certificate of Sanitization/Physical Destruction. Units are strongly discouraged from attempting to physically destroy storage media themselves.

Definitions

Sanitization: the erasure, overwriting, or destruction of storage media to the extent that data cannot be recovered using normal system functions or software data recovery utilities.

MAC address: the machine access code programmed into each network card or interface which identifies a computer on the CWRU network.

IP address: the internet protocol address for the computer.

Litigation hold: also known as a legal hold. A directive from Office of General Counsel to preserve all forms of potentially relevant information when litigation is pending or reasonably anticipated that suspends the normal disposition or processing of records, such as backup tape recycling, archived media, and other storage and management of documents and information.