Skip to Content

Information Security Office
Policy Index
Information Asset Management
Disposal of Protected Data Process
Number: 8065.0 Revised: August 15, 2010

All confidential data stored on computers or other devices must be properly disposed of and/or protected when computers and devices are removed from service and/or re-purposed.  The disposal or repurposing process must identify all Level 1 and Level 2 data present, utilize the disposal and repurposing processes indicated below, log the disposal and repurposing process, and make logs available for review by the ISO or his designee(s).  All disposed computers and other devices must be certified to be free of level 1 and level 2 data, prior to disposal.

Responsibilities

Users: are responsible for ensuring that all devices containing confidential data are disposed of or repurposed in conformance with this standard. Users are encouraged both inform their managers of the need to dispose of devices and data and to seek assistance from the Office of the ISO.

Local IT Staff Members: are responsible for logging the decommissioning and repurposing of all computers and devices in their area(s) of responsibility and for delivering decommissioned computers and devices to the IRT Hardware and Software Support Group for disposal.

IRT Hardware and Software Support Group: is responsible for the formal decommissioning, repurposing and logging of all devices within IRT’s areas of responsibility, as well as for the disposal of all decommissioned devices campus-wide.  Contact IRT Hardware/Software Support at 278-2470.

Information Security Office: is responsible for auditing all logs related to data destruction, device repurposing, and device disposal. All devices and data subject to active litigation holds or other legal processes will be logged and retained only by the Information Security Office; contact 278-1998.

Process for Repurposing Devices

All repurposed systems must first be cleaned of confidential data using approved software from the list below. Appropriate drive sectors containing confidential data must be overwritten by the approved software a minimum of three times, using approved overwrite procedures.  The Information Security Office recommends seven such passes to render the data completely unrecoverable. This process must be completed by an IT staff member who has completed appropriate training under the direction of the Information Security Office and must be logged. Contact the Information Security Office at 278-1998 for assistance.


Approved Software

Requirements to be cleaned

Dban

1 passes minimum  – Number of passes must be logged

Secure Erase

1 passes minimum – Number of passes must be logged

KillDisk

1 passes minimum– Number of passes must be logged

Decommissioning Devices

All devices that can share or store data must have all data and university licensed software removed prior to decommissioning or disposal. All decommissioned devices or devices to be disposed of must be delivered to the IRT Hardware and Software Support Group in Library 10, to ensure the devices are properly cleaned and logged during the decommissioning process.

The IRT Hardware and Software Support Group will ensure the delivered asset is cleaned of confidential data. In some cases the device may need to be physically destroyed, as using software alone will not adequately erase the data contents of the device.

Devices delivered to the IRT Hardware and Software Support Group must be logged using the device serial number or other unique identifiable code.  All devices must be stored in a locked secured location prior to cleaning and disposal, subject to use of a controlled access log that tracks when devices are entered or removed. Once a device has been successfully cleaned of all data, a tracking tag must be added to the device to note it has been successful sanitized.
Decommissioned devices shall only be disposed of through the green device recycling program administered by IRT.

Exception Handling

All exceptions to the above process for decommissioning and repurposing of devices containing confidential data must be approved in writing by the Information Security Officer.

Audit

Annually, the Information Security Office will perform random checks of the repurposing and decommissioning process to ensure the protection of confidential data.

Back to to Sacramento State Information Security Policy Website

Feedback/Questions/Comments