Page tree
Skip to end of metadata
Go to start of metadata

University of Maryland Eastern Shore

UMES POLICY ON ELECTRONIC MEDIA DISPOSAL

 

Date:  August 2018


I.        PURPOSE

The purpose of this policy is to establish a standard for the proper disposal and transfer of electronic media containing sensitive and/or proprietary data. The disposal procedures used will depend upon the type and intended disposition of the media. Electronic media may be scheduled for reuse, repair, replacement, or removal from service for a variety of reasons and disposed of in various ways as described below.


II.      POLICY STATEMENT

Increasing amounts of electronic data are being transmitted and stored on computer systems and electronic media by virtually every person conducting business for UMES. Some of that data contains sensitive and/or proprietary information, including student records, personnel records, financial data, research data, intellectual property-including unpublished research, and protected health information and software. Software licensed to UMES may not be transferable outside UMES. If the information on those systems is not properly removed before the equipment is disposed of or transferred, that information could be accessed, viewed or used by unauthorized individuals.

As such, all users of computer systems within UMES, including contractors and vendors with access to UMES systems, are responsible for taking the appropriate steps, as outlined below to ensure that all computers and electronic media containing sensitive and/or proprietary information are properly sanitized before disposal or transfer Electronic Media is defined as any electronic storage device that is used to record information, including, but not limited to hard disks, external hard drives, magnetic tapes, compact disks (CD), digital video disks (DVD) videotapes, audiotapes, and removable storage devices such as floppy disks, zip disks and thumb drives.


III.      APPLICABILITY AND IMPACT STATEMENT

All academic and administrative units of the UMES community.


IV.        CONTACTS

Direct any general questions about this University Policy first to your department’s

administrative office. If you have specific questions, call the following offices:


Subject                                     Contact                              Telephone               Email

Policy Clarification                    UMES IT                              410-651-8068          jrsmith@umes.edu


V.        PROCEDURES

A.        Hard Drives

Prior to disposal or transfer, hard drives must be Cleared, Purged or Destroyed in accordance with the methods described within this policy.


1.    Transfer of Hard Drives

a.    Intra-departmental: Transfer of hard drives within a department. Before a hard drive is transferred from the custody of its current owner, appropriate care must be taken to ensure that no unauthorized person can access data by ordinary means. Since the drive is remaining within the department, the hard drive may instead be cleared prior to transfer. Special recovery tools must be used by the department of Information Technology (IT) to access the data erased by this method; any attempt by an individual to access unauthorized data would be viewed as a conscious violation of state or federal regulations and the UMES Acceptable Use Policy.

b.    Inter-departmental: Transfer of hard drives to another department. Before a hard drive is transferred from the custody of its current owner, appropriate care must be taken to ensure that no unauthorized person can access data by ordinary means. All electronic media should be purged in a manner described above. The Department of Information Technology should be contacted for assistance with this transfer.


2.   Warranty Replacement of Hard Drives

Hard drives containing Sensitive data shall not be released from the UMES owner’s possession unless the data contained within the hard drive has been purged or destroyed in accordance with this policy.


3.   Recovery of Hard Drives

Sending a hard drive out for data recovery. The vendor recovering data on the hard drive must sign an appropriate contractual agreement, which must be approved by campus legal, insuring that the vendor will take proper care of the data. Once data is recovered the original hard drive must be returned to the owner so that it can be disposed of per this UMES policy for proper disposal of electronic media. This only done with the approval of the Vice President of Administration and the CIO. Please contact IT for assistance.


4.   Disposal of Damaged or Inoperable Hard Drives

Campus technology users should contact the Office of Information Technology for assistance. IT will determine if data can be saved or if the media must be destroyed. In the event that the hard drive must be destroyed, IT will contract with a certified vendor and insure that the media is destroyed properly.


B.        Disposal of Electronic Media Other Than Hard Drives

Prior to disposal or transfer, Electronic Media Other Than Hard Drives, must be Cleared, Purged or Destroyed in accordance with the methods described within this policy.


1.   Transfer of Electronic Media Other Than Hard Drives

a.    Intra-departmental: Transfer of electronic media (other than hard drives) within a department. Before electronic media is transferred from the custody of its current owner, appropriate care must be taken to ensure that no unauthorized person can access data by ordinary means. Since the electronic media is remaining within the department, the electronic media may instead be cleared, if possible, prior to transfer. Special recovery tools must be used by an individual to access the data erased by this method; any attempt by an individual to access unauthorized data would be viewed as a conscious violation of state or federal regulations and the UMES Acceptable Use Policy

b.    Inter-departmental: Transfer of electronic media (other than hard drives) to another department. Before electronic media is transferred from the custody of its current owner, appropriate care must be taken to ensure that no unauthorized person can access data by ordinary means. All electronic media should be purged,

if possible in a manner described above. If the electronic media cannot be purged it may not be transferred to an external department.

2.   Disposal of Electronic Media Other Than Hard Drives Outside of UMES

All electronic media other than hard drives, containing sensitive or proprietary data, must be Purged or Destroyed before leaving UMES. The use of certified commercial disposal vendors may be accepted with prior approval by the office of the CIO and campus legal counsel.


C.        Violation of this Policy

If there is a reasonable basis to believe that the proper procedures as outlined in this policy have not been or are not being followed, a report must be filed with the Information Security Officer. If improperly sanitized electronic media is found, then the media should be reported to the appropriate departmental I.T. support personnel.


D.        Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, including but not limited to, termination under the appropriate University disciplinary policy.


VI.       DEFINITIONS

Electronic Media

Any electronic storage device that is used to record information, including, but not limited to hard disks, external hard drives, magnetic tapes, compact disks (CD), digital video disks (DVD) videotapes, audiotapes, and removable storage devices such as floppy disks, zip disks, magnetic stripes on cards and thumb drives.

Electronic Media (Other Than Hard Drives)

Electronic Media, other than hard drives, refers to any electronic storage device that is used to record information, including, but not limited to magnetic tapes, compact disks (CD), digital video disks (DVD) videotapes, audiotapes, and removable storage devices such as floppy disks, zip disks, magnetic stripes on cards, and thumb drives.

Sensitive Data

Sensitive and/or proprietary information, including personally identifying information, student records, personnel records, financial data, research data, intellectual property including unpublished research, protected health information and software.

Software licensed to UMES that may not be transferable outside UMES.

Clearing

Clearing information is a level of media sanitization that would protect confidentiality of information against a simple attack. Examples of this include, but are not limited to, a simple single pass format of the hard drive or deletion of data from removable media such as thumb drives. This level of sanitization does not prevent data from being retrieved using data recovery tools but it will prevent simple access to data. 

Purging

Purging information is a media sanitization process that protects the confidentiality of information against a laboratory attack (e.g. advanced data recovery software/tools) and will render the data unreadable.

Example: For hard drives this may include the use of a hard drive wiping

utility that repeatedly “writes” random data to the hard drive making data

recovery impossible. Purging can also be accomplished through the use of degaussing of magnetic storage materials (e.g. hard drives and magnetic tapes).

Degaussing exposes magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains. Generally, degaussing permanently renders the magnetic media unusable.

These processes should be performed in accordance with the NIST recommended standards.

Destroying

Destruction of media is the ultimate form of sanitization. After the media are destroyed, they cannot be reused as originally intended. Approved methods of destructions include Shredding, Disintegration, Incineration, Pulverization and Melting. The University encourages use of certified commercial disposal systems.


VII. DOCUMENTATION: NONE


VIII. RESTRICTIONS AND EXCLUSIONS: NONE


IX.  RELATED ADMINISTRATIVE POLICIES AND PROCEDURES:


 National Institute of Standards and Technology Special Publication 800-88 Natl. Inst.

T and. Technol. Spec. Publ. 800-88, 41 pages (May, 2006) Guidelines for Media

Sanitization

 

 

Cabinet approval pending. 12/13/18





  • No labels