Media Sanitization and Disposal Policy
Issued August 25, 2009
Table of Contents
.030 Effective Date
The purpose of this policy is to protect University Data from unauthorized disclosure. This policy defines the requirements for ensuring University Data are permanently removed from media before disposal or reuse, a process called "media sanitization," and properly disposing of media. The reuse, recycling, or disposal of computers and other technologies that can store data pose a significant risk since data can easily be recovered with readily available tools - even data from files that were deleted long ago or a hard drive that was reformatted. Failure to properly purge data in these circumstances may result in unauthorized access to University Data, breach of software license agreements, and/or violation of state and federal data security and privacy laws.
This policy applies to all university colleges, departments, administrative units, and affiliated organizations.
This policy became effective July 24, 2009.
The State of Kansas, ITEC Information Technology Policy 7900: Enterprise Media Sanitization and Disposal Policy requires all state agencies, including Regents' institutions, to "establish policies and procedures for the sanitization of all media including hard copy and electronic." It also instructs Regents' institutions to use "the guidelines contained in NIST Special Publication 800-88 or an approved established industry best practice for higher education technical environments or institutions."
The Health Insurance Portability and Accountability Act of 1996 specifies requirements for disposal, media reuse, and accountability for electronic protected health information.
The Internal Revenue Service (IRS) Publication 1075: Tax Information Security Guidelines for Federal, State, and Local Agencies, specifies security controls for protecting the confidentiality of Federal Tax Information that includes media reuse and disposal.
To prevent unauthorized disclosure of University Data, media leaving control of the responsible department and destined for reuse or disposal must have all University Data purged in a manner that renders the data unrecoverable.
Media that will be reused within the department should likewise have all University Data purged to prevent unauthorized disclosure.
Media containing University Data authorized by the appropriate administrative head for transfer to individuals or organizations outside the University are exempt.
- Affiliated Organization
- Any organization associated with the University that uses university information technology resources to create, access, store or manage University Data to perform their business functions.
- Confidential Data
- Highly sensitive University Data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. See K-State's Data Classification and Security Policy for an expanded definition and examples.
- Demagnetizing magnetic storage media like tape or a hard disk drive to render it permanently unusable. Since the media typically can no longer be used after degaussing, it should only be used to purge data from media that will be discarded.
- A physically destructive method of sanitizing data; the act of separating into component parts.
- Health Insurance Portability and Accountability Act of 1996 that among other things established standards for the security and privacy of human health-related information.
- A physically destructive method of sanitizing media; the act of burning completely to ashes.
- Internal Data
- University Data intended for internal University business use only with access restricted to a specific workgroup, department, group of individuals, or affiliates with a legitimate need. See K-State's Data Classification and Security Policy for an expanded definition and examples.
- Material on which data are or may be recorded, such as magnetic disks or tapes, solid state devices like USB flash drives, optical discs like CDs and DVDs, or paper-based products.
- Media sanitization
- The process of removing data from storage media such that there is reasonable assurance that the data may not be retrieved and reconstructed.
- Public Data
- University Data explicitly or implicitly approved for distribution to the public without restriction. See K-State's Data Classification and Security Policy for an expanded definition and examples.
- A physically destructive method of sanitizing media; the act of grinding to a powder or dust.
- A media sanitization process that removes all data and any remnant of the data so thoroughly that the effort required to recover the data, even with sophisticated tools in a laboratory setting (i.e., a "laboratory attack"), exceeds the value to the attacker. A common method of purging data is to overwrite it with random data in three or more passes.
- University Data
- Any data related to Kansas State University ("University") functions that are a) stored on University information technology systems, b) maintained by K-State faculty staff, or students, or c) related to institutional processes on or off campus. This applies to any format or media (in other words, it is not limited to electronic data).
.070 Roles and Responsibilities
The local department is responsible for ensuring that University Data are properly removed or destroyed from media before it leaves the control of the department for reuse or disposal.
.080 Implementation Procedures
While the primary purpose of this policy is to protect non-public University Data (e.g., data classified either internal or confidential), it is often very difficult to separate these classifications from public or personal data on the media, or determine conclusively that remnants of non-public data are not recoverable. Therefore, it is often most expedient and cost effective to purge all University Data from the media before reuse or disposal rather than try to selectively sanitize the sensitive data.
Likewise, it is often most cost effective to physically destroy the media rather than expend the effort to properly purge data. However, if physical destruction is contracted to a third party outside the University, all University Data must be purged from the media before giving it to the third party.
Specific instructions for different types of media and regulations follow:
- Electronic Storage Media (hard disk drives in computers, external hard drives, USB flash drives, magnetic tapes, etc.)
- If purging is done by overwriting the data, the entire media/device must be overwritten with a minimum of three passes.
- Equipment that can store University Data, such as desktop and laptop computers or external hard drives, and is permanently leaving the control of the University should have all data storage devices removed before disposition. If the equipment leaving University control must retain the data storage devices, all University Data must be properly purged.
- The only acceptable methods for physically destroying a hard drive are shredding, pulverizing, disintegration, or incineration.
- Degaussing is an acceptable method of purging data from magnetic media. Be aware that this normally renders the media unusable.
- Paper-Based Media
- Any paper-based or other hard copy media containing confidential University Data must be shredded with a cross-cut shredder before disposal or transferred to an authorized third party contracted by the University for secure disposition of documents. The maximum particle size for paper-based media containing confidential data should be 1x5 mm (1/32"x1/5"). Media containing internal data should likewise be shredded with a cross-cut shredder if disclosure of the information contained therein might adversely impact the institution, an affiliated organization, or an individual. The maximum particle size for media containing internal data is 2x15 mm (1/16"x3/5").
- Incineration by methods compliant with all relevant health, safety, and environmental laws and regulations is an acceptable method for disposal of paper-based media.
- Optical Media (e.g., CDs and DVDs)
Optical media containing internal or confidential University Data must be physically destroyed before disposal. An appropriate method of physical destruction is shredding with a cross-cut shredder.
- Smartphones and other handheld devices
Mobile devices like Smartphones (e.g., Blackberry or Treo), MP3 players, and even cell phones, store information and often contain personal or other sensitive information. Any University Data must be purged from these devices before reuse or disposal, like any other storage media. It is also advisable to purge all other data from the device before reuse or disposal to protect your personal information.
- Other Media Types
For other media and additional guidelines, refer to NIST Special Publication 800-88, Revision1: Guidelines for Media Sanitization, Appendix A, Minimum Sanitization Recommendations.
- Export controls
Media containing University Data in equipment that will be reused outside the United States must comply with export laws and regulations according to K-State's Export Control Program.
- Electronic Protected Health Information
K-State units responsible for electronic protected health information covered by HIPAA must also have media sanitization and disposal policies and procedures in accordance with HIPAA Security Final Rules, Section 164.310, Physical Safeguards, part (d), (1) & (2).
- Federal Tax Information
K-State units handling Federal Tax Information must also have media sanitization and disposal policies and procedures in accordance with IRS Publication 1075: Tax Information Security Guidelines for Federal, State, and Local Agencies.
- More Information
For more information about media sanitization and disposal, including suggested software tools for purging hard drives and other K-State-specific resources and procedures, see K-State's Media Sanitization and Disposal web site.
.090 Related Laws, Regulations, or Policies
- State of Kansas, ITEC Information Technology Policy 7900: Enterprise Media Sanitization and Disposal Policy
- K-State Data Classification and Security Policy
- NIST Special Publication 800-88, Revision 1: Guidelines for Media Sanitization
- K-State Export Controls Program
- K-State Property Inventory Policy
- HIPAA Final Security Rules, Section 164.310, Physical Safeguards, part (d), (1) & (2)
- IRS Publication 1075: Tax Information Security Guidelines for Federal, State, and Local Agencies
The Vice President for Information Technology and Chief Information Officer (CIO) is responsible for this policy. The CIO or designee must approve any exception to this policy or related procedures. Questions should be directed to the Chief Information Security Officer (CISO).