Media sanitization and disposal
K-State’s Media Sanitization and Disposal policy defines the requirements for ensuring all University Data is permanently removed from media before disposal or reuse. A process called “media sanitization,” and properly disposing of media ais used to prevent unauthorized disclosure. The reuse, recycling, or disposal of computers and other technologies that can store data pose a significant risk since data can be easily recovered with readily available tools even data from files that were deleted long ago or a hard drive that was reformatted.
Failure to properly purge data may result in unauthorized access to University Data, breach of software license agreements, and/or violation of state and federal data security and privacy laws.
Why "delete" is not enough
Simply using the delete key or emptying items from the trash can or recycle bin does not completely delete these files or folders. The deleted files or folders are still stored on the computer in "unallocated space” and can easily be revealed with readily-available data recovery tools. Not even re-formatting the hard drive guarantees complete deletion of the data. The procedures described here and in the policy must be followed to ensure that the data cannot be recovered.
Procedures for sanitizing specific media devices:
University Data may be found on a wide variety of devices and media. Each requires special techniques in order to prevent recovery which could lead to unauthorized disclosure of University Data. In order to ensure compliance with the K-State media sanitization and disposal policy, procedures appropriate for each type of medium must be used. You will find more information about each of these items at the links below.
- Hard Drives and Tape Storage
- Removable Media (CDs, DVDs, and thumb drives)
- Paper-Based Media
- Smartphones and other handheld devices
K-State property disposition procedures
K-State’s Disposition of Property form now includes the following statement related to media sanitization:
"By signing this form, I certify that proper procedures have been followed to ensure that University data cannot be recovered from any data storage devices in any equipment listed above. This is in accordance with K-State's Media Sanitization and Disposal Policy.
K-State Recycling requires this form before it will accept computer equipment for recycling or disposal, so the signature on this form is their assurance that the responsible department has properly removed all University Data from any device that can store data.
What if the media will be re-used?
Computers are often transferred to another person in the department, sold to a different department in the university, or sold or donated to someone outside the university. Other data storage media like external hard drives and USB flash drives are often re-used by others as well. In all these cases, University Data should be purged before transferring the computer or device.
Even if the computer is staying within the same department, the hard drive should have all data purged since the recipient may not have the same data access authorizations (for example, if a faculty or staff computer is handed down to a graduate student office). This also helps ensure that any personal files belonging to the original user cannot be recovered.
See How to sanitize magnetic storage media on the Hard Drives and Tape Storage page for more information, especially the section on Removing hard drives from computers before disposal.
If the surplus computer is to be transferred to another entity for continued use, the license(s) for any software remaining on the computer, such as the operating system, must be transferable to the receiving department in order to maximize the value of the computer and ensure compliance with software license agreements. It is the responsibility of the transferring department to make sure no other copies are retained unless allowed by license agreements.
- K-State’s Media Sanitization and Disposal Policy
- NIST Special Publication 800-88, Revision 1: Guidelines for Media Sanitization
- K-State Property Inventory Policy
- K-State's Data Classification and Security Policy
- State of Kansas, ITEC Information Technology Policy 7900: Enterprise Media Sanitization and Disposal Policy