SJSU Electronic Data Disposition Standard



Similar documents
Property Accounting Procedure Manual

The Importance of Organizing Your SJSU Information Assets

UMBC POLICY ON ELECTRONIC MEDIA DISPOSAL UMBC# X

Information Technology Services Guidelines

Introduction and Purpose... 2 Scope... 2 Auxiliary units Part-Time, Temporary faculty/staff, Volunteer, Contractor and Student Assistants...

IT Security Standard: Computing Devices

Standard: Network Security

UNIVERSITY OF MASSACHUSETTS RECORD MANAGEMENT, RETENTION AND DISPOSITION POLICY

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

Secure Data Destruction

ECONOMY WORKING DAYS STANDARD 3-8 WORKING DAYS

STANDARD 3-8 WORKING DAYS

SOAS Controlled Procedure CP-PP06 IT Asset Management Procedure

Other terms are defined in the Providence Privacy and Security Glossary

California State University, Sacramento INFORMATION SECURITY PROGRAM

Standard: Vulnerability Management and Assessment

MUSC Information Security Policy Compliance Checklist for System Owners Instructions

University of Liverpool

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

Office Equipment Disposal Policy

Purpose: To comply with the Payment Card Industry Data Security Standards (PCI DSS)

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues

Standard: Retention

State of Vermont. Digital Media and Hardware Disposal Standard. Date: Approved by: Policy Number:

Policy for the Re-use and Disposal of Computers, other IT Equipment and Data Storage Media

Virginia Commonwealth University School of Medicine Information Security Standard

Protecting Data in Decommissioned IT Assets: Factors, Tools and Methods

HIPAA Training for Staff and Volunteers

M E M O R A N D U M. Revised Information Technology Security Procedures INFORMATION TECHNOLOGY SECURITY PROCEDURES. I. General

Protection of Computer Data and Software

Information Security Policy

University of South Wales Software Policies

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

How To Destroy Data From A Hard Drive

Data Security for ITAD, Corporate & Consumer Electronics

NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE NSA/CSS POLICY MANUAL Issue Date: 15 December 2014 Revised:

Saint Louis University Merchant Card Processing Policy & Procedures

Records Management. Objectives. With the person sitting next to you, Presented by: Rachel Martin. After this workshop, you ll be able to:

Dublin City University

Supplier Information Security Addendum for GE Restricted Data

PCI Data Security and Classification Standards Summary

Standard: Event Monitoring

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

SOUTH EASTERN SCHOOL DISTRICT

b. USNH requires that all campus organizations and departments collecting credit card receipts:

HIPAA Training for Hospice Staff and Volunteers

Montclair State University. HIPAA Security Policy

Fixed Asset Policy & Procedures. Content

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

Cyber Self Assessment

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

Record Retention and Disposal of College Records

Information Technology and Governance Committee

Walton Centre. Asset Management. Information Security Management System: SS 03: Asset Management Page 1. Version: 1.

Standard: Application Service Provider Security Requirements

INFORMATION SECURITY PROCEDURES. Maintaining the Security of Information throughout its Lifecycle

SOUTHWEST VIRGINIA COMMUNITY COLLEGE RECORDS MANAGEMENT POLICY

8.03 Health Insurance Portability and Accountability Act (HIPAA)

INFORMATION UPDATE: Removable media - Storage and Retention of Data - Research Studies

University for the Creative Arts. Mobile Working and Remote Access Policy

POLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central.

Garage Sale Forensics: Data Discovery Through Discarded Devices

Network and Workstation Acceptable Use Policy

Records & Information Management Policy

Information Security Policy

Asset Disposition and Data Destruction Solution

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

GUIDE TO: DATA RECOVERY & DATA DESTRUCTION SPONSORED BY

Standard: Information Security Awareness Training

HOWARD UNIVERSITY POLICY

Standard: Data Center Security

The guidance applies to all records, regardless of the medium in which they are held, including , spreadsheets, databases and paper files.

IT asset disposal for organisations

University of Hawai i Executive Policy on Data Governance (Draft 2/1/12)

MOUNT HOLYOKE COLLEGE. LITS Computer Replacement and Support Strategy for Faculty and Staff Computers

Tenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014

Technical Writing - The Perfect Research Paper

Form #57, Revision #4 Date 7/15/2015 Data Destruction and Sanitation Program. Mobile (ON-SITE) Data Destruction/Shredding Services

Developing a Records Retention Program

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

LEGAL HOLD OBLIGATIONS FOR DISTRICT EMPLOYEES

Service Instruction 0759: Destruction of Information Assets (Including Protectively Marked Information)

This policy is not designed to use systems backup for the following purposes:

INFORMATION SECURITY GUIDELINES

Information Technology Security Policies

Appendix 1 Payment Card Industry Data Security Standards Program

CD ROM, Inc Commercial Catalog. Destruction and Recycling Services

HIPAA Security Alert

Critical Data Guide. A guide to handling critical information at Indiana University

ARKANSAS TECH UNIVERSITY

INFORMATION SECURITY POLICY

HSCIC Audit of Data Sharing Activities:

Managing and Automating Data Erasure for Mobile Devices: STRATEGIES FOR RECYCLERS AND IT ASSET DISPOSAL SPECIALISTS

Version 1.0 MCGILL UNIVERSITY SCANNING STANDARDS FOR ADMINISTRATIVE RECORDS. Summary

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Secure Mobile Shredding and. Solutions

Administrative Policies and Procedures

BARNSLEY CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLICY

HIPAA Security. assistance with implementation of the. security standards. This series aims to

DePaul University Records Management Manual November 1, 2014

Transcription:

SJSU Electronic Data Disposition Standard Page 1

Executive Summary University data is at risk as long as it is persistently stored on electronic media. This means that data must be properly cared for during its entire lifecycle on campus, and properly disposed of prior to leaving campus. Electronic Data Disposition standard outlines the steps necessary for the proper storage, decommissioning, and destruction of electronic data. This standard applies to all electronic computing devices and storage media acquired by the University or its auxiliary organizations including devices purchased through auxiliary or research funding. A computing device is any electronic device capable of receiving and persistently storing direct user input including but not limited to workstations, servers, tablets, laptops, and smartphones. Storage media is defined as any device which can receive and persistently store electronic data including, but not limited to USB drives, external hard drives, internal hard drives, SSD s, DVD s, magnetic tapes, floppy disks, etc. Page 2

Information Security Standards SJSU Electronic Data Disposition Standard Standard # IS-EDDS Effective Date 11/10/2015 Email security@sjsu.edu Version 2.0 Contact Mike Cook Phone 408-924-1705 Revision History Date Action 11/20/2013 Reviewed: IT Management Advisory Committee, CISC, ITS Security Team 6/26/2013 Draft Policy Released 3/5/2015 Policy Reviewed Michael Cook 11/10/2015 Incorporated changes from campus constituents Distributed to Campus. Page 3

Table of Contents Executive Summary... 2 Revision History... 3 Date... 3 Action... 3 Introduction and Purpose... 5 Scope... 5 Standard... 5 Physical Placement... 5 Decommissioning and Data Disposition: Computing Devices... 5 Tools and Services... 5 Documentation... 6 Data Disposition Standard Management... 6 Page 4

Introduction and Purpose University data is at risk as long as it is persistently stored on electronic media. This means that data must be properly cared for during its entire lifecycle on campus, and properly disposed of prior to leaving campus. This standard outlines the steps necessary for the proper storage, decommissioning, and destruction of electronic data. Scope This standard applies to all electronic computing devices and storage media acquired by the University or its auxiliary organizations including devices purchased through auxiliary or research funding. A computing device is any electronic device capable of receiving and persistently storing direct user input including but not limited to workstations, servers, tablets, laptops, and smartphones. Storage media is defined as any device which can receive and persistently store electronic data including, but not limited to USB drives, external hard drives, internal hard drives, SSD s, DVD s, magnetic tapes, floppy disks, etc. Standard Physical Placement All computing devices and storage media containing confidential Level 1 or Level 2 data must be located in a space such that when unattended, one or more of the following controls are in place: 1. The device and/or media are protected by entry controls to ensure that only authorized personnel are allowed to access the space containing the device. 2. The device and/or media are secured in a controlled container. 3. The device and/or media are physically secured to permanent furniture or structures within the space. Decommissioning and Data Disposition: Computing Devices 1. Computing devices must be removed from the campus network in a timely manner when no longer in use. 2. System and network administrators must be notified of the computing device removal to ensure appropriate configuration changes to those systems and networks are made. 3. Disposition of a computing device and/or data must adhere to university asset management procedures. 4. Data stored on devices must be: a. Rendered unreadable before leaving the possession of the university. b. Rendered unreadable before transfer to another organization, either internal or external to the university, and prior to being reused or repaired. c. Kept in a location limited to authorized personnel while waiting to be processed to render the storage media unreadable. Tools and Services It is the responsibility of each department to ensure that data is rendered unreadable as part of the decommissioning process. All computing devices used to store Level 1, Level 2, or Level 3 information and all storage media which was used to store Level 1 or Level 2 information must be rendered unreadable using one of the following methods: 1. Campus Physical Media Destruction Service Page 5

a. IT Services shall accept delivery of equipment and dispose of data via a Physical Media Destruction service. Visit the Information Security Web Site for official procedures. 2. Software-based Department of Defense (DOD) approved Disk-Wiping *** Does not apply to Solid State Disk Drives (SSD), SSD s must be physically destroyed *** a. Darik s Boot and Nuke (DBAN) b. KillDisk c. Apple Disk Utility d. Mobile Device factory wipe feature e. Any other software package approved by the DOD 3. Other a. Must be performed by a hard drive shredding company or process approved by the Information Security Officer. Documentation Electronic media which was used to store confidential Level 1 and Level 2 data shall require documentation upon destruction. Departments utilizing Disk Wiping techniques shall self-certify destruction of the data. IT Services shall retain certificates for of all hard drives destroyed by the campus Physical Media Destruction Service. All departments shall create, or delegate creation to their IT support group, records containing: Manufacturer and serial number of device which was wiped (Hard Drive, USB Drive, tape, etc.) Tag, manufacturer, and serial number of the computer the device came from (where applicable) Date of destruction or delivery to IT Services Method of destruction (i.e IT Services, DBAN, KillDisk). Data Disposition Standard Management In accordance with CSU policies, the San José State Information Security Officer oversees an annual review of this Standard and communicates any changes or additions to appropriate SJSU stakeholders. The standard shall be updated as necessary to reflect changes in CSU policies, SJSU s academic, administrative, or technical environments, or applicable laws and regulations. The standard may be augmented, but neither supplanted nor diminished, by additional policies and standards. Page 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information