Purpose
In order to ensure the confidentiality of University data and to comply with software licensing contracts all electronic storage devices must be properly cleaned prior to reuse, transfer or resale.
Definitions
Cleaned: Completely erasing/cleaning a device in accordance with the UM Information Security Program Data Classification System or in some manner that ensures that the data is not retrievable.
Destroyed: Complete destruction of hard drives and other storage media/devices in an approved manner.
Electronic data: Any form of information stored on electronic storage devices.
Electronic storage device: Any device used to store electronic/digital data or information. This includes but is not limited to desktop/laptop computers, servers, network devices, magnetic tape, cell phones, SmartPhones, PDAs, portable storage drives, flash drives, fax machines, copiers and digital cameras.
Information Security Officer (ISO): The designated Information Security Officer at each business unit responsible for operational information security activities.
Re-image: Installing a system baseline, typically on computers, that provides a base level of operating system and software so that the device is ready for reuse.
Re-sale: Offering excess equipment for sale to the general public through processes established by Surplus Property.
Reuse: Redeployment of an electronic storage device from one University user to another.
Transfer: Making excess equipment available to other departments or campuses through processes established by Surplus Property. Transfer could also include the process of sending hard drives or whole systems to vendors for repair or maintenance activities.
Requirements
University Departments
- Ensure compliance with appropriate University policies, including but not limited to, BPM 911 Electronic Records Administration and BPM 308 Resale, Sale or Disposal.
- Ensure all electronic storage devices are processed by a professional IT staff person (or delegate approved by the ISO) before being transferred.
- Seek assistance from the central IT department if necessary.
IT Staff
- Ensure all devices are completely cleaned and, if appropriate, reimaged prior to transfer to another user, another department or to Surplus Property.
- Seek guidance on cleaning electronic storage devices and appropriate tools from the central IT department or the business unit's ISO.
Surplus Property
- Ensure that transfer/disposal forms have been properly completed and signed.
- Properly destroy hard drives and other media when appropriate.
- Randomly audit devices transferred to Surplus Property to ensure they have been properly cleaned.
- Report instances of non-compliance to the appropriate ISO.
Information Security Officers
- Provide assistance to IT staff as needed to ensure systems are properly cleaned.
University Employees
- Must ensure that University data is removed from their personally owned electronic storage devices prior to leaving the University. Employees should seek assistance from professional IT staff to ensure adequate removal of electronic data.
Electronic Storage Device Quick Reference Guide
Disposition Method | Disposal Standard |
---|---|
Transfer for reuse | Completely cleaned and reimaged if appropriate |
Transfer to Surplus Property | Completely cleaned or mark for destruction |
Personally owned devices | Ensure University owned data is wiped from the device upon leaving the University |
Magnetic tape and other non-reusable media | Destroy or transfer to Surplus Property for destruction |
Reviewed 2019-08-15