ROWAN UNIVERSITY POLICY
Title: Electronic Media Disposal Policy
Subject: Information Security
Policy No: ISO: 2013:04
Issuing Authority: Information Security Office - Chief Information Security Officer
Responsible Officer: Vice President for Information Resources and Chief Information Officer
Date Adopted: 07-01-2013
Last Revision: 06-01-2014
Last Review: 09-01-2014
The purpose of this policy is to establish a standard for the proper disposal of media containing electronic data. The disposal procedures used will depend upon the type and intended disposition of the media. Electronic media may be scheduled for reuse, repair, replacement, or removal from service for a variety of reasons and disposed of in various ways as described below.
Under the direction of the President, the Chief Information Officer and the Chief Information Security Officer shall implement and ensure compliance with this policy. The Vice Presidents, Deans, and other members of management will implement this policy in their respective areas as needed.
This policy applies to all members of the Rowan community who access and use the University's electronic information and information systems. This policy and Rowan's "Code of Conduct" also govern access and use of the University's electronic information and information systems originating from non-Rowan computers, including personal computers and other electronic devices. The access and use of electronic information provided by research and funding partners to Rowan is also governed by this policy.
The use of information systems acquired or created through use of University funds, including grant funds from contracts between the University and external funding sources (public and private), are covered by this policy. This includes University information systems that are leased or licensed for use by members of the Rowan community.
- "Electronic Media" – Physical object on which data can be stored, such as hard drives, zip drives, floppy disks, compact discs, CD-ROMs, DVDs, USB drives, memory sticks, MP3 players (iPod), Personal Digital Assistants (PDA's), digital cameras, smart phones and tapes.
- "Sensitive Information" – Sensitive information is classified as Protected Health Information (PII), Confidential information, or Internal Information as defined in the Rowan University Information Classification Policy.
- "Sanitization" – To expunge data from storage media so that data recovery is impossible. The most common types of sanitization are destruction, degaussing, and overwriting.
Rowan University - Information Classification Policy ISO: 2013:07
A. All electronic media must be properly sanitized before it is transferred from the custody of its current owner. The proper sanitization method depends on the type of media and the intended disposition of the media.
B. Overwriting Hard Drives for Sanitization
- Overwriting is an approved method for sanitization of hard disk storage media. Overwriting of data means replacing previously stored data on a drive or disk with a random pattern of meaningless information. This effectively renders the data unrecoverable, but the process must be correctly understood and carefully implemented.
- Overwriting consists of recording data onto magnetic media by writing a pattern of fluxes or pole changes that represent binary ones (1) and zeros (0). These patterns can then be read back and interpreted as individual bits, 8 of which are used to represent a byte or character. If the data is properly overwritten with a pattern (e.g., "11111111" followed by "00000000") the magnetic fluxes will be physically changed and the drives read/write heads will only detect the new pattern and the previous data will be effectively erased. To purge the hard drive requires overwriting with a pattern, and then its complement, and finally with another pattern (e.g., overwrite first with "00110101 ", followed by "11001010", then "10010111"). Sanitization is not complete until the three overwrite passes and a verification pass are completed.
- A variety of software packages are available on the open market that properly performs this function. Examples include, but are not limited to, "Killdisk" and Semantec's "Gdisk" (part of the Ghost product).
C. Destruction of Electronic Media
Destruction of electronic media is the process of physically damaging a medium so that it is not usable by any device that may normally be used to read electronic information on the media such as a computer, tape reader, audio or video player.
D. Clearing Data
Clearing data such as formatting or deleting information removes information from storage media in a manner that renders it unreadable unless special utility software or techniques are used to recover the cleared data. Because the clearing process does not prevent data from being recovered by technical means, it is not an acceptable method of sanitizing media intended for disposal outside of the University.
E. Disposal of Hard Drives
- Disposal of Hard Drives to Other Departments or outside the University
2. Transfer of Hard Drives within a Department
3. Sending a Hard Drive out for Repair or for Data Recovery
4. Repairing a Hard Drive Under Warranty
5. Disposal of Damaged or Inoperable Hard Drives
F. Disposal of Electronic Media Other Than Hard Drives
- Transfer of Electronic Media Other Than Hard Drives Within a Department
2. Disposal of Electronic Media Outside the University
VII. NON-COMPLIANCE AND SANCTIONS
Violation of this policy may subject the violator to disciplinary actions, up to or including termination of employment or dismissal from a school, and may subject the violator to penalties stipulated in applicable state and federal statutes.
By Direction of the CIO:
VP and Chief Information Officer