Data Destruction and Media Sanitization Standard

Standard Number: 1.11.2.1.4
Category: Information Security
Owner: Information Technology Services
Effective: February 4, 2021
Revision History: None
Review Date: February 3, 2024

1. Purpose, Scope, and Responsibilities
   

   1. Pursuant to the Information Security Policy, the University will sanitize all University Devices whose use will be discontinued at the University to prevent Unauthorized Access, the disclosure of Sensitive Data, and facilitate the removal of University-licensed software.
   2. The purpose of this Standard is to establish the minimum sanitization requirements pertaining to data, storage media, and/or device(s). This Standard is based on NIST 800-88: Guidelines for Media Sanitization.
   3. This Standard applies to University Devices (e.g., computer, server, laptop, networking equipment, printer, medical equipment, smartphone), Internet of Things devices, and/or storage media (e.g., CD, USB drive, workstation/server hard drives, solid state drives, external hard drives) being transferred within or outside of the University, disposed of, recycled, or obsolesced. This Standard does not apply to peripheral equipment that does not feature onboard storage such as keyboards, mouse, and projectors.
   4. Information Security Services (“ISS”) is responsible for the implementation and maintenance of this Standard. Any questions regarding this Standard should be directed to ISS.
   5. Academic and administrative unit IT staff are responsible for sanitizing University Devices prior to reuse or transferring to another department/unit as well as removing University-licensed software prior to turning device over to the University electronics recycling vendor.
   6. The contracted University electronics recycling vendor is responsible for sanitizing University Devices that it collects and providing an associated certificate of completion.

2. Data Destruction

   1. University Data in hard copy format must be destroyed according to the University Record Retention Policy and Schedule in one of the following ways:
      1. Shred paper documents using a cross-cut shredder that produces particles no larger than 1 mm x 5 mm; or,
      2. Pulverize/disintegrate paper documents using a disintegrator device equipped with a 2.4 mm (or smaller) security screen.
   2. Physically secure storage bins containing Sensitive Data paper materials that are to be recycled by locking the bins or securing the bins in a locked room.

3. Device Sanitization

   1. Pursuant to the University-Owned Device Standard, all University Devices must be returned to the academic or administrative unit IT staff when no longer being used. Discarding University Devices directly through the Surplus Redistribution Center is strictly prohibited.
   2. University Devices must either be sanitized or relinquished to the contracted University electronics recycling vendor. Only academic or administrative IT staff are authorized to relinquish University Devices to the electronics recycler.
   3. University Devices transferred within or outside of a department or college must be sanitized prior to transfer according to the Sanitization Requirement identified in attached appendices. Questions related to sanitization requirements within the appendices should be directed to Information Security Services at infosec@mail.wvu.edu.
   4. University Devices that will be relinquished to the recycling vendor must be removed from the University’s asset inventory per the SCCM Asset Removal Procedure.
   5. Because flash memory operates fundamentally differently from magnetic media, overwriting does not necessarily clear all the data. For the proper sanitization of flash memory, invoking special data purge commands built into the SSD hardware is the best approach. See appendices.
   6. Multifunction office devices (e.g., fax machines, copiers) that retain data on the a hard drive must also be sanitized or destroyed prior to disposition.
   7. University copiers and fax machines provided through Managed Printing services do not store data internally and do not require sanitization by academic or administrative unit IT staff prior to being relinquished to Managed Printing by a department.

4. Definitions

   1. “University Device” means laptops, computers, notebooks, tablets, and smartphones owned by the University that are used to collect, store, access, transmit, carry, use, or hold any University Data whether during or outside of normal working hours and whether it is used at a normal place of work or not.
   2. “Internet of Things” means any physical object embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the Campus Network.
   3. “Purge” means to permanently erase and remove data from a storage space.
   4. “Sanitization” means the process of irreversibly removing or destroying data stored on a memory device or in hard copy form.
   5. “University Data” means anything that contains information regarding the University made or received in connection with its operations, regardless of whether it is a hard copy or electronic, and includes, but is not limited to, written and printed matter, books, drawings, maps, plans, photographs, microforms, motion picture films, sound and video recordings, e-mails, computerized or other electronic data on hard drives or network drives, or copies of these items.
   6. “University Licensed Software” means software that has been licensed exclusively to the University for use on University-owned devices.
   7. “University Information System” means an application or software that is used to support the academic, administrative, research, and outreach activities of the University, whether operated and managed by the University or a third-party vendor.

Related Documents

• Acceptable Use of Data and Technology Resources Policy
• University Owned Devices Standard
• WVU Policy G-1 Record Retention Policy & Schedule
• SCCM Asset Removal Procedure
• NIST SP 800-88: Guidelines for Media Sanitization