Media Disposition and Sanitation Procedure



Similar documents
Sensitive and Protected Data Management Procedure

UMBC POLICY ON ELECTRONIC MEDIA DISPOSAL UMBC# X

Guidelines for Media Sanitization

NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE NSA/CSS POLICY MANUAL Issue Date: 15 December 2014 Revised:

Technical Reference Document Summary of NIST Special Publication : Guidelines for Media Sanitization

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Destruction and Disposal of Sensitive Data

Tech Application Chapter 3 STUDY GUIDE

MEDIA SANITIZATION MANUAL

Management Challenge. Managing Hardware Assets. Central Processing Unit. What is a Computer System?

Information Technology Services Guidelines

Chapter 8 Memory Units

الدكتور عادل إسماعيل العلوي الجامعة الملكية للبنات البحرين نائب رئيس الجمعية الدولية لضبط ومراقبة نظم المعلومات

University of Wisconsin-Madison Policy and Procedure

Other terms are defined in the Providence Privacy and Security Glossary

Get rid of it Securely to keep it Private

Chapter 7 Types of Storage. Discovering Computers Your Interactive Guide to the Digital World

CITY UNIVERSITY OF HONG KONG. Information Classification and

Types Of Storage Device

Discovering Computers Chapter 7 Storage

CSCA0201 FUNDAMENTALS OF COMPUTING. Chapter 5 Storage Devices

Approved By: Agency Name Management

Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

Guidelines for Media Sanitization

About this Tool Information Security for Residents...

CD ROM, Inc Commercial Catalog. Destruction and Recycling Services

Student Guide.

Digital Data Destruction D3 Services, Inc.

McGraw-Hill Technology Education McGraw-Hill Technology Education

Form #57, Revision #4 Date 7/15/2015 Data Destruction and Sanitation Program. Mobile (ON-SITE) Data Destruction/Shredding Services

Getting a new computer or smartphone is always exciting but do you know what to do with your old one?

Lexmark Printers and Multifunction Products: Hard Disk and Non-Volatile Memory Guide

Protecting Data in Decommissioned IT Assets: Factors, Tools and Methods

Office Equipment Disposal Policy

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

UNIVERSITY OF MASSACHUSETTS RECORD MANAGEMENT, RETENTION AND DISPOSITION POLICY

PCI Data Security and Classification Standards Summary

Guidance on Personal Data Erasure and Anonymisation 1

LSE PCI-DSS Cardholder Data Environments Information Security Policy

NCTE Advice Sheet Storage and Backup Advice Sheet 7

How To Store Data On A Computer (For A Computer)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Writing Assignment #2 due Today (5:00pm) - Post on your CSC101 webpage - Ask if you have questions! Lab #2 Today. Quiz #1 Tomorrow (Lectures 1-7)

HP FutureSmart Firmware Device Hard Disk Security

Computers. Hardware. The Central Processing Unit (CPU) CMPT 125: Lecture 1: Understanding the Computer

DIVISION OF INFORMATION SECURITY (DIS)

Information Security Plan effective March 1, 2010

Computer Storage. Computer Technology. (S1 Obj 2-3 and S3 Obj 1-1)

HIPAA Security Training Manual

HIPAA Security Policies and Procedures

Technical Proposal on ATA Secure Erase Gordon Hughes+ and Tom Coughlin* +CMRR, University of California San Diego *Coughlin Associates

Chapter 8. Secondary Storage. McGraw-Hill/Irwin. Copyright 2008 by The McGraw-Hill Companies, Inc. All rights reserved.

ECONOMY WORKING DAYS STANDARD 3-8 WORKING DAYS

UNCLASSIFIED. This page intentionally left blank. UNCLASSIFIED. Clearing And Declassifying Electronic Data Storage Devices (ITSG-06) ii July 2006

STANDARD 3-8 WORKING DAYS

With respect to the way of data access we can classify memories as:

Parts of a Computer. Preparation. Objectives. Standards. Materials Micron Technology Foundation, Inc. All Rights Reserved

Order. Directive Number: IM Stephen E. Barber Chief Management Officer

Handout 17. by Dr Sheikh Sharif Iqbal. Memory Unit and Read Only Memories

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Excerpt of Cyber Security Policy/Standard S Information Security Standards

Security for Disk Drive Data at Rest Disk Drive Opportunities?

Today we will learn about:

Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story

HIPAA Training for Hospice Staff and Volunteers

Understanding Data Destruction and How to Properly Protect Your Business

That s why outsourcing using a Qualified Contractor is the best solution to the problem of assuring a compliant hard drive destruction audit trail.

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

Price/performance Modern Memory Hierarchy

State of Vermont. Digital Media and Hardware Disposal Standard. Date: Approved by: Policy Number:

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues

Primary Memory. Input Units CPU (Central Processing Unit)

Walton Centre. Asset Management. Information Security Management System: SS 03: Asset Management Page 1. Version: 1.

How To Protect Research Data From Being Compromised

a) Access any information composed, created, received, downloaded, retrieved, stored, or sent using department computers.

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

BUSINESS POLICY. TO: All Members of the University Community 2012:12. CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05)

TEST CHAPTERS 1 & 2 OPERATING SYSTEMS

CSCA0102 IT & Business Applications. Foundation in Business Information Technology School of Engineering & Computing Sciences FTMS College Global

Information Destruction Solutions

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 1 Introducing Hardware

Computer Basics: Chapters 1 & 2

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Module 1 Introduction to Information and Communication Technologies

Best Practices for Responsible Disposal of Tape Media

Information Security Policy

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING

CHAPTER 3: HARDWARE BASICS: PERIPHERALS

Information Technology Acceptable Usage Policy

Credit Card Processing and Security Policy

Network and Workstation Acceptable Use Policy

Remote Working and Portable Devices Policy

MOBILE DEVICE SECURITY POLICY

Angard Acceptable Use Policy

Computer Components Study Guide. The Case or System Box

Huddersfield New College Further Education Corporation

Tomorrow s Technology and You

Main Memory & Backing Store. Main memory backing storage devices

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

RETENTION OF UNIVERSITY RECORDS

Transcription:

Media Disposition and Sanitation Procedure

Revision History Version Date Editor Nature of Change 1.0 11/14/06 Kelly Matt Initial Release

Table of Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 NIST Guidelines... 1 5.0 Information Protection and Media Disposition... 1 5.1 Primary Media Types... 1 Hard Copy:... 1 Electronic (or soft copy):... 1 6.0 Sanitization... 2 6.1 Sanitization Methods... 2 6.2 Sanitization Guidelines... 3 7.0 Enforcement... 8 8.0 Related Policies, Procedures, and Codes of Conduct.... 8

1.0 Overview Media disposition is a key element in assuring data confidentiality. Confidentiality is the ability to restrict access to information based on the value of the information. This includes protecting personally identifiable information. In order to provide appropriate controls on the information we are responsible for safeguarding, we must properly dispose of media in all forms. 2.0 Purpose This document aids in establishing clear guidelines for media disposition and sanitation. 3.0 Scope This Procedure applies to employees, contractors, consultants, temporary employees, and other workers at UNC including all personnel affiliated with third parties. 4.0 NIST Guidelines This procedure has been adapted for the University of Northern Colorado from the National Institute of Standards and Technology (NIST) Special Publication 800-88 Guidelines for Media Sanitization. The information and recommendations made in this document have drawn heavily on the guidelines set forth by the NIST special publication. This adaptation has been developed for internal use. The express intent of this document is to provide a simplified and tailored approach to manage and implement the NIST guideline within UNC. 5.0 Information Protection and Media Disposition In order for UNC to have appropriate controls on the information it is responsible for safeguarding, it must properly safeguard the media used. An often rich source of illicit information collection is through dumpster diving for improperly disposed hard copy media or through reconstruction of data on media not sanitized in an appropriate manner. Media flows in and out of an organizations control through recycle bins in paper form, out to vendors for equipment repairs, and hot swapped into other systems in response to emergencies. This potential vulnerability can be mitigated through proper understanding of where information is located, what that information is and how to protect it. 5.1 Primary Media Types Hard Copy: Hard copy media is physical representations of information. Paper printouts, printer, and facsimile ribbons, drums, and platens are all examples of hard copy media. These types of media are often the most uncontrolled. Information tossed into the recycle bins and trash containers exposes a significant vulnerability to dumpster divers, and overcurious employees, risking accidental disclosures. Electronic (or soft copy): Electronic media are the bits and bytes contained in hard drives, USB removable media, disks, memory devices, phones, mobile computing devices, networking equipment, and many other types listed in section 6.2. Media will continue to advance and evolve over time. The processes described in this document should guide media sanitization decision making regardless of the type of media in use. Page 1

6.0 Sanitization Several different methods can be used to sanitize media. Four of the most common are presented in this section. Individuals should assess the media to be disposed of and determine the future plans for the media. Then, using information in the tables below, decide on the appropriate method for sanitization. To facilitate secure disposition of electronic media UNC Information Technology provides a secure drop service in the basement of Carter Hall at the operator s window. Individuals can bring digital media to this area and for secure disposal. 6.1 Sanitization Methods Sanitization Methods Method Disposal Clear Purge Description Disposal is the act of discarding media with no other sanitization considerations. This is most often done by paper recycling containing non-confidential information but may also include other media. One method to sanitize media is to use software or hardware products to overwrite storage space on the media with non-sensitive data. This process may include not only the logical storage location of a file(s) (e.g., file allocation table) but also may include all addressable locations. The security goal of the process is to replace written data with random data. Overwriting cannot be used for media that are damaged or not rewriteable. The media type and size may also influence whether is a suitable sanitization method. Two approved software tools are Secure Erase which can be download from the University of California, San Diego (UCSD) CMRR site or Eraser/DBAN a freeware tool that is readily available on the Internet. Degaussing and executing the firmware Secure Erase command (for ATA drives only) are acceptable methods for purging. Degaussing is exposing the magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains. A degausser is a device that generates a magnetic field used to sanitize magnetic media. Degaussing can be an effective method for purging damaged or inoperative media, for purging media with exceptionally large storage capacities, or for quickly purging diskettes. Destroy There are many different types, techniques, and procedures for media destruction. Disintegration or Pulverization. These sanitization methods are designed to completely destroy the media. Shredding. Paper shredders can be used to destroy flexible media such as diskettes once the media are physically removed from their outer containers. The shred size of the refuse should be small enough that there is reasonable assurance in proportion to the data confidentiality that the data cannot be reconstructed. Optical mass storage media, including compact disks (CD, CD-RW, CD-R, CD-ROM), optical disks (DVD), and MO disks, must be destroyed by pulverizing or crosscut shredding. Page 2

6.2 Sanitization Guidelines The following table can be used to determine recommended sanitization of specific media. This recommendation should reflect the security categorization of the media to reduce the impact of harm of unauthorized disclosure of information from the media. Not all types of available media are specified in this table. If your media is not included in this guide, you should identify and use processes that will fulfill the intent to clear, purge, or destroy your media. Media Sanitization Decision Matrix Media Type Clear Purge Physical Destruction Hard Copy Storages Paper and microforms See Physical Destruction. See Physical Destruction. Destroy paper using cross cut shredders or pulverize. Destroy microforms (microfilm, microfiche, or other reduced image photo negatives) cross cut shredders or pulverize. Hand-Held Devices Cell Phones Manually delete all information, such as calls made, phone numbers, then perform a full manufacturer s reset to reset the cell phone back to its factory default settings. Contact the manufacturer for proper sanitization procedure. Personal Digital Assistant (PDA) (Palm, PocketPC, other) Manually delete all information, then perform a manufacturer s hard reset to reset the PDA to factory state. Contact the manufacturer for proper sanitization procedure. Networking Devices Page 3

Routers (home, home office, enterprise) Perform a full manufacturer s reset to reset the router back to its factory default settings. Contact the manufacturer for proper sanitization procedure. Equipment Copy Machines Perform a full manufacturer s reset to reset the copy machine to its factory default settings. Contact the manufacturer for proper sanitization procedure. Fax Machines Perform a full manufacturer s reset to reset the fax machine to its factory default settings. Contact the manufacturer for proper sanitization procedures. Magnetic Disks Floppies approved software and validate the overwritten data. Degauss ATA Hard Drives 1. Purge using Secure Erase. The Secure Erase software can be download from the University of California, San Diego (UCSD) CMRR site. 2. Purge hard disk drives by either purging the hard disk drive in an automatic degausser or by disassembling the hard disk drive and purging the enclosed platters with a degaussing wand. Degaussing any current generation hard disk will render the drive permanently unusable. Page 4

USB Removable Media (Pen Drives, Thumb Drives, Flash Drives, Memory Sticks) with Hard Drives 1. Purge using Secure Erase The Secure Erase software can be download from the University of California, San Diego (UCSD) CMRR site or Eraser. 2. Purge hard disk drives by either purging the hard disk drive in an approved automatic degausser or by disassembling the hard disk drive and purging the enclosed platters with an approved degaussing wand. Degaussing any current generation hard disk will render the drive permanently unusable.. Zip Disks Degauss using an approved degausser. Degaussing any current generation zip disks will render the disk permanently unusable. SCSI Drives Purge hard disk drives by either purging the hard disk drive in an approved automatic degausser or by disassembling the hard disk drive and purging the enclosed platters with an approved degaussing wand. Degaussing any current generation hard disk will render the drive permanently unusable. Page 5

Magnetic Tapes Reel and Cassette Format Magnetic Tapes Clear magnetic tapes by either re-recording () or degaussing. Clearing a magnetic tape by re-recording () may be impractical for most applications since the process occupies the tape transport for excessive time periods. Purging by Degaussing: Purge the magnetic tape in any degausser that can purge the signal enough to prohibit playback of the previous known signal. Clearing by Overwriting: Overwriting should be performed on a system similar to the one that originally recorded the data. All portions of the magnetic tape should be overwritten one time with known non-sensitive signals. Optical Disks CDs See Physical Destruction. See Physical Destruction. Destroy in order of recommendations: Removing the Information bearing layers of CD media using a commercial optical disk grinding device. Use optical disk media shredders or disintegrator devices. DVDs See Physical Destruction. See Physical Destruction. Destroy in order of recommendations: Removing the Information bearing layers of DVD media using a commercial optical disk grinding device. Use optical disk media shredders or disintegrator devices to reduce DVD into particles. Memory Compact Flash Drives, SD See Physical Destruction. Destroy media in order of recommendations. Dynamic Random Access Memory (DRAM) Purge DRAM by powering off and removing the battery (if battery backed). Page 6

Electronically Alterable PROM (EAPROM) Perform a full chip purge as per manufacturer s data sheets. Shred Disintegrate Pulverize Electronically Erasable PROM (EEPROM) Incinerate by burning in a licensed incinerator. Erasable Programmable ROM (EPROM) Clear media in order of recommendations. 1. Clear functioning EPROM by performing an ultraviolet purge according to the manufacturer's recommendations Incinerate by burning in a licensed incinerator. 2. Flash Cards agency Flash EPROM (FEPROM) Perform a full chip purge as per manufacturer s data sheets. Purge media in order of recommendations. 1. 2. Perform a full chip purge as per manufacturer s data sheets. Incinerate by burning in a licensed incinerator. PC Cards or Personal Computer Memory Card International Association (PCMCIA) Cards See Physical Destruction. See Physical Destruction. Destroy by incinerating in a licensed incinerator or use a disintegrator to reduce the card's internal circuit board and components to particles. RAM Purge functioning DRAM by powering off and removing the battery (if battery backed). Page 7

ROM See Physical Destruction. See Physical Destruction. USB Removable Media (Pen Drives, Thumb Drives, Flash Drives, Memory Sticks) without Hard Drives technologies/methods/tools Smart Cards See Physical Destruction. See Physical Destruction. For smart card devices& data storage tokens or cards packaged into tokens (i.e. SIM chips, thumb drives and other physically robust plastic packages cut or crush the smart card's internal memory chip using metals snips, a pair of scissors, or a strip cut shredder. Smart that are not capable of being shredded should instead be destroyed via incineration licensed incinerator or disintegration. 7.0 Enforcement Any person found in violation of Federal, State law or University policy, regulation or procedures is subject to loss of privileges, disciplinary action, personal liability and /or criminal prosecution. The University may block access to or remove a network connection that is endangering computing and or network resources or that is being used for inappropriate or illegal use. Information Technology will work with the Dean of Students, the UNC Police the academic deans and directors and others to enforce this policy. 8.0 Related Policies, Procedures, and Codes of Conduct. All applicable laws and University policies, regulations and procedures bind UNC students and employees. UNC Acceptable User Regulation Sensitive and Protected Data Management Page 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information