Media Sanitization Standard
Document Owner: Barb Montgomery, University Information Security
Document Approver: Brian Dahlin, University Information Security and Patton Fast, University Enterprise Architect
Effective Date: August 2010
Last Reviewed Date: March 2013
This document provides the University's standard for media sanitization and disposition of electronic media. This standard complies with the University of Minnesota Policy Securing Private Data, Computers and Other Electronic Devices, and is based on the principles of NIST 800-88 Guidelines for Media Sanitization and ISO/IEC 27002:2005 section 9.2.6 Secure Disposal or Re-Use of Equipment and section 10.7.2 Disposal of Media.
Sanitization refers to the general process of removing data, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed. When devices (e.g., computer, cell phone, etc.) or storage media (e.g., CD, thumb drive, workstation/server hard drives, etc.) are transferred, become obsolete, or are no longer usable or needed, it is important to ensure that residual magnetic, optical, electrical, or other representation of data that is stored is not easily recoverable.
This standard applies to all University community members who access, use or handle the University's IT resources. A University community member is a student, faculty or staff member, University guest, volunteer, contractor, or employee of an affiliated entity.
This standard applies to all University IT resources, whether individually controlled, shared, stand-alone, or networked. It applies to all computers, electronic devices and communication facilities owned, leased, operated or provided by the University or otherwise connected to University resources. This includes but is not limited to networking devices, mobile devices, cell phones, wireless devices, personal computers, workstations, servers, printers, copiers, fax machines, thumb drives, removable media and any other associated peripherals. This standard also applies to all personally owned devices used to process or transmit University information or that are otherwise connected to University IT resources. Note: per University policy, University private data must be stored on University-owned computers unless a contract approved by an authorized University representative exists with the non-University business, person, or entity.
University units (e.g., campuses, departments, colleges, centers and programs) must follow these standards while connected to or using University IT resources. Each unit is responsible for security on its systems and may apply more stringent security requirements than those detailed here, provided these do not conflict with or lower requirements established by the Information Security Framework, University policies, applicable laws or contractual agreements.
Non-compliance with this standard must be reported to University Information Security (firstname.lastname@example.org). Individual University community members who do not comply with this standard may temporarily be denied access to University computing resources and may be subject to other penalties and disciplinary action including University discipline up to and including termination.
A non-compliant devices may be disconnected from the University data network and collegiate/departmental infrastructure until the device is brought into compliance.
Standard and Process
The department or individual directly responsible for the data or device is required to ensure that the data and licensed software is securely removed before transfer out of their control and that the sanitization process selected meets or exceeds the legal or regulatory requirements for the data stored. Examples of such transfers are: transfer to another department; public sale; donation; or scraping.
Factors that impact the media sanitization process include:
- Classification of data/information stored (e.g., public, private-restricted or highly restricted)
- License agreements for software installed
- Type of transfer or disposal
- Legal and regulatory requirements
Devices or media containing private-restricted or highly restricted information must be physically destroyed or the information must be destroyed, deleted or overwritten using tools or techniques to make the original information non-retrievable. Overwriting should at least consist of a single pass with an industry standard and validated media sanitization tool supporting overwriting with all zeroes or all ones.
The procedures for secure disposal of media containing sensitive information should be commensurate with the sensitivity of that information and its related risk. (e.g., with increased risk associated with loss of the data, the media should be physically destroyed). If the data classification is unknown, at a minimum you should consider the data classification as private-restricted.
For documentation/audit purposes, obtain a confirmation statement that all private-restricted or highly restricted data has been removed (See NIST 800-88, Appendix F for a sample form). Documentation should also be maintained when the media is disposed. University units determine where the documentation is stored.
In the following diagram the sanitization methods CLEAR and DESTROY are NIST 800-88 terminology. See NIST 800-88 for more detail.
- CLEAR - Use software or hardware products to overwrite storage space on the media with non-sensitive data. The security goal of the overwriting process is to replace written data with random data.
- DESTROY - There are many different types, techniques, and procedures for media destruction.
Campus technology support groups that perform media sanitization should provide the department or individual documentation (with identifying information like serial number and date) and a statement that the campus support group agrees to perform the media sanitization in conformance with University policy and assume responsibility for doing so. The University unit or individual is responsible for storing the documentation related to the media sanitization of the device. The campus technology support group must keep media in a secure location until properly sanitized.
The University of Minnesota has a contract for recycling and disposal of electronic media. See Resources and Tools section below.
For malfunctioning devices or media, work with your vendor to offer a "no return to vendor" option for malfunctioning media or a process to sanitize the media prior to leaving the University premises.
Resources and Tools