To ensure that Confidential or Sensitive data is prevented from being passed to non-authorized individuals or entities when equipment is moved, removed from service, or otherwise disposed of, the following statements are provided to ensure equipment is properly managed throughout its lifecycle, including disposal.
When a device or computer that contains non-volatile storage is moved, removed from service, reallocated, or sent to Property and Inventory for disposal, steps must be taken to ensure that data on the
storage device(s) is removed using procedures that will make it reasonably difficult to recover or that
the non-volatile device (e.g. the hard drive) is removed from the system and destroyed.
Before a device is re-allocated or removed from service, OIT shall :
- If the device is to be re-allocated, the non-volatile media will be wiped clean using industry
standard tools to make sure the previous data is un-recoverable or difficult to recover without
extraordinary means. In some cases, if a risk analysis of the data on the non-volatile device
indicates the risk is too great for this process to be used, then the non-volatile device shall be
removed, destroyed and a complimentary, replacement non-volatile device shall be provided by
OIT at the cost of the department using the device. - If the device is to be disposed of by Property and Inventory, the non-volatile media will be wiped clean using industry standard tools to make sure the previous data is un-recoverable or difficult to recover without
extraordinary means. - If the non-volatile media is determined to contain content that would put the institution at unnecessary risk if the wiping standards mentioned above are deemed insufficient, OIT shall document the
serial number of the non-volatile memory device, the Property Tag number of the original
device and place it into a secure location designated for destruction. Certificates of destruction
will be kept on record by OIT for a minimum of 3 years after destruction of such devices.
This guideline applies to all persons and organizations that manage or utilize information technology
resources belonging to the SRSU.
Definitions
Non-volatile memory, nonvolatile memory, NVM or non-volatile storage is computer memory from which stored information can be retrieved even when not powered. Examples of nonvolatile memory include read-only memory, flash memory, ferroelectric RAM (F-RAM), most types of magnetic computer storage devices (e.g. hard disks, floppy disks, and magnetic tape), optical discs, and early computer storage methods such as paper tape and punched cards.
Authority and responsibility questions related to this guideline or to the appropriate use policy
statement should be addressed to the SRSU Chief Information Officer.