DCSIMG

IT Security - Disposal of Media

Date Instituted: May 18, 2012

Introduction

Centenary College has increasing amounts of electronic data that are being transmitted and stored on computer systems and electronic/magnetic media by virtually every person conducting business for the College. Some of that data contains sensitive information, including student records, personnel records, financial data, and protected health information. If the information on those systems is not properly removed before the equipment is disposed of, that information could be accessed and viewed by unauthorized individuals. This would breach the Information Security Policy we have outlined. As such, all users of computer systems within Centenary College, including contractors and vendors with access to Centenary College systems, are responsible for taking the appropriate steps, as outlined below to ensure that all computers and electronic/magnetic media are properly cleansed before disposal.

Definitions:

Media, as termed within this policy, will be defined as:

Any electronic or magnetic storage device that is used to record information, including, but not limited to hard disks, magnetic tapes, compact disks, Digital Video Disc, videotapes, audiotapes, and removable storage devices such as USB drives, and in some cases, printed materials, if they contain confidential information.

Confidential Information, as termed within this policy, will be defined as:
Important and sensitive material. This information is private or otherwise sensitive in nature and must be restricted to those with a legitimate need for access. Some examples of confidential information are, but not limited to: system passwords or encryption keys, financial records, proprietary information, human resource or personnel records, student records, and patient records.

Options for disposal: 

All media that contains confidential information should be overwritten a minimum of three times with software designed to "zero out" media tracks or destroy data. Physical destruction of the media is also acceptable. Breaking of CD’s and DVD’s, and the shredding of any written or printed materials that may contain confidential information. The helpdesk, located on the 2nd floor of the Seay building, is also available to take the media and destroy it for you. you can bring any media up to the helpdesk employees or InfoSec member and they will complete the data destruction process for you.

Other options:

Some data disposal companies can be utilized to remove or destroy any media/data. This is not recommended as the helpdesk technicians will provide this service free of charge, but it is an option.

What to avoid when destroying data/media:

  • Do not burn electronic/magnetic media; there are certain chemicals and plastics that are contained in some media that are harmful if inhaled when burned.
  • Removing of a partition, formatting a drive, using the recycle bin; while using these options will un-allocate drive space and allow the data stored in certain locations to be overwritten, it is not a sufficient means of data destruction. There are many recovery tools that can be employed to recover data that has been removed in this fashion. Even re-installing your operating system is not enough to permanently destroy certain data. For questions regarding data destruction, please contact the helpdesk at extension 2000.

Procedure:

All media that may contain confidential information must be properly sanitized before being discarded. Methods used will depend on the media type.
Magnetic Media: In the cases where data destruction is needed for a piece of media that cannot simply be broken or shredded, such as paperwork or a CD, the media should be brought to the helpdesk staff on the 2nd floor in the Seay building. There a helpdesk technician will complete the data destruction process for you.

Electronic Media/confidential paperwork:

Electronic media (CD’s, DVD’s, USB drives etc.) can simply be broken to render them useless in a computer or player. With confidential paperwork, it is recommended that a shredder with a cross shred pattern be used, this is also sometimes known as a confetti shredder (turns the paper into small unreadable squares by slicing the papers in both a horizontal and vertical cut). In the cases where some electronic media needs to be reused, such as with a USB drive, you may follow the disposal of hard drives guidelines outlined below.

Disposal of hard drives:

Prior to being discarded, all HDD’s should be wiped using a minimum of a 3 pass sweep as listed above. After proper sanitization of the media, the HDD should be properly recycled. Please do not throw this waste in the trash. The HDD may also be reused if needed, the 3 pass sweep will destroy all of the data. In some cases where the information contained within the media is considered highly confidential, such as student medical records, a second 3 pass sweep can be used to overwrite the drive again before use.

Transfer of hard drives within a department:

Before a hard drive is transferred from the custody of its current owner, appropriate care must be taken to ensure that no unauthorized person can access data by ordinary means. All electronic media should be sanitized per standards, however; since the drive is remaining within the department, the hard drive may instead be formatted prior to transfer. Special recovery tools must be used by an individual to access the data erased by this method; Any attempt by an individual to access unauthorized data would be viewed as a conscious violation of both the Centenary College Information Security Policy, and the Centenary College Computer Use Policy.

Sending a hard drive out for repair or for data recovery:

The vendor repairing or recovering data on the hard drive must sign an appropriate agreement with Centenary College, insuring that the vendor will take proper care of the data. Once data is recovered or the hard drive is repaired, the original hard drive must be returned to the owner so that the owner can dispose of it per this Centenary College policy for proper disposal of hard drives.

Disposal of damaged or inoperable hard drives:

The owner, or the helpdesk technician assisting the owner must first attempt to overwrite the hard drive in accordance with the procedures above. If the hard drive cannot be overwritten, the hard drive must be disassembled and mechanically damaged so that it is not usable by a computer.

Violation of Policy:

If there is a reasonable basis to believe that the proper procedures as outlined in this policy have not been or are not being followed, a report must be filed with the CIO. If improperly sanitized electronic or magnetic media is found, then the media should be reported to the Office of Information Technology. Any employee found to have violated this policy may be subject to disciplinary action, including but not limited to, termination under the appropriate Centenary College disciplinary policy.