The purpose of this policy it to define the guidelines for the disposal of Information technology equipment and components owned by XXX.
This policy applies to any computer/technology equipment or peripheral devices that are no longer needed within XXX including, but not limited to the following: personal computers, servers, hard drives, laptops, mainframes, smart phones, or handheld computers ( i.e., Windows Mobile, iOS or Android-based devices), peripherals (i.e., keyboards, mice, speakers), printers, scanners, typewriters, compact and floppy discs, portable storage devices (i.e., USB drives), backup tapes, printed materials.
All XXX employees and affiliates must comply with this policy.
- When Technology assets have reached the end of their useful life they should be sent to the office for proper disposal.
- The will securely erase all storage mediums in accordance with current industry best practices.
- All data including, all files and licensed software shall be removed from equipment using disk sanitizing software that cleans the media overwriting each and every disk sector of the machine with zero-filled blocks.
- No computer equipment should be disposed of via skips, dumps, landfill etc. Electronic recycling bins may be periodically placed in locations around XXX. These can be used to dispose of equipment. The will properly remove all data prior to final disposal.
- All electronic drives must be degaussed or overwritten with a commercially available disk cleaning program. Hard drives may also be removed and rendered unreadable (drilling, crushing or other demolition methods).
- Computer Equipment refers to desktop, laptop, tablet or netbook computers, printers, copiers, monitors, servers, handheld devices, telephones, cell phones, disc drives or any storage device, network switches, routers, wireless access points, batteries, backup tapes, etc.
- The will place a sticker on the equipment case indicating the disk wipe has been performed. The sticker will include the date and the initials of the technician who performed the disk wipe.
- Technology equipment with non-functioning memory or storage technology will have the memory or storage device removed and it will be physically destroyed.
3.2 Assets Tracked
Defines which IT assets should be tracked and to what extent.
1 IT Asset Types
Categorized the types of assets subject to tracking – including:
- Desktop workstations
- Laptop mobile computers
- Mobile phones and tablets
- Printers, Copiers, Fax machines, multi-function machines
- Handheld devices
- Memory devices
2 Assets Tracked
Assets that cost less than $ 100 and do not contain date should not be specifically tracked. These include components such as video or sound cards. However, all assets that store data should be tracked regardless of cost. Examples include:
- Hard Drives
- Temporary storage drives
- Tapes – including system backup data.
Although not specifically tracked, other storage devices such as CD ROM disks and floppy disks are covered by this policy for disposal and secure storage purposes
3 Small Memory Devices
Small memory storage assets will not be tracked by location but by trustee. These assets include:
- Floppy disks
- CD ROM disks
- Memory sticks
Trustees of the devices must sign for receipt of the devices in their possession. All employees must also agree to handle memory sticks, floppy disks, and CD ROM disks in a responsible manner and follow the following guidelines:
- Never place sensitive data on a device or media without authorization. Once permission has been obtained, the data-bearing item must be kept in a secure area.
- Never use these devices to download executable programs from outside the network without prior authorization and without first scanning the program with an approved and updated anti-virus and malware scanner. Any software brought into the network should be on the IT department’s approved list.
The Memory Device Trustee Agreement requires employees to sign for receipt of these devices and agree to handle these assets in accordance with the terms of this policy. This form must be executed by all employees that will work with any organizational data on the first day of employment. The form should also be updated whenever and employee receives one or more memory sticks, temporary storage drives, or data backup drives.
4. Asset Tracking Requirements
- All assets must be assigned an ID number. Either an internal tracking number will be assigned when the asset is acquired or the use of Manufacturer ID numbers must be specified in this policy.
- An asset tracking database shall be created in order to track assets. It will include all information on the Asset Transfer Checklist table and the date of the asset change.
- When an asset is acquired, an ID number will be assigned to the asset and the relevant information shall be entered in the asset tracking database.
5. Asset Transfer
- When an asset listed on the Asset Types list is transferred to a new location or trustee, the IT Asset Transfer Checklist must be completed by the trustee of the item and approved by an authorized representative of the organization. The trustee is the person in whose care the item resides. If the item is a workstation, then the trustee is the most common user of the workstation. For other equipment, the trustee is the primary person responsible for maintenance or supervision of the equipment. The trustee must fill out the Asset Transfer Checklist form and indicate whether the asset is a new asset, moving to a new location, being transferred to a new trustee, or being disposed. The following information must be included:
- Asset Type
- ID number
- Asset Name
- Current Location
- Current Trustee
- New Location
- New Trustee
- Locations of Sensitive Data: Once the trustee fills out and signs the Asset Transfer Checklist form, it must be signed by an authorized representative.
- Data entry – After the Asset Transfer Checklist has been completed, it will be submitted to the asset tracking database manager. The asset tracking database manager will ensure that the information on the form is entered into the asset
tracking database within one week.
- Checking the database – Managers who oversee projects that result in a change to equipment location should check periodically to see if the assets that were moved have been updated in the asset tracking database. The database should include a recent move list that can be easily checked.
3.3 Media Sanitization
When transferring assets to another trustee, any confidential information on the device must be protected and/or destroyed. The method of data destruction is dependent upon the sensitivity of the data on the device and the next user of the device (i.e. within the organization and its control or outside the organization).
The following table depicts the three types of sanitization methods and the impact of each method
|Sanitization Method||Appropriate Use||Description|
|Clear||If the media will be reused and will not be leaving the entity’s control.||Protects confidentiality of information against an attack by replacing written data with random data. Clearing must not allow information to be retrieved by data, disk or file recovery utilities.|
|Purge||If the media will be reused and leaving the entity’s control.||Protects confidentiality of information against an attack through either degaussing or Secure Erase.|
|Physical Destruction||If the media will not be reused at all.||Intent is to completely destroy the media.|
1.Sanitization Decision Process
The decision process is based on the confidentiality of the information, not the type of media. The entities choose the type of sanitization to be used, and the type of sanitization is approved by the Information Owner. The technique used may vary by media type and by the technology available to the custodian, so long as the requirements of the sanitization type are met. Recommended Sanitization techniques for specific types of media are outlined in Appendix A of NIST 800-88, Rev. 1, Guidelines for Media Sanitization, Minimum Sanitization Recommendations.
Disposal without sanitization should be considered only if information disclosure would have no impact on organizational mission, would not result in damage to organizational assets, and would not result in financial loss or harm to any individuals.
The security categorization of the information, along with internal environmental factors, should drive the decisions on how to deal with the media. The key is to first think in terms of information confidentiality, then apply considerations based on media type.
The cost versus benefit of a sanitization process should be understood prior to a final decision. Entities can always increase the level of sanitization applied if that is reasonable and indicated by an assessment of the existing risk. For example, even though Clear or Purge may be the recommended solution, it may be more cost-effective (considering training, tracking, and validation, etc.) to destroy media rather than use one of the other options. Entities may not decrease the level of sanitization required.
2) Asset Disposal
Asset disposal is a special case since all sensitive data must be removed during or prior to disposal. The manager of the user of the asset should determine the level of sensitivity of the data stored on the device. The data erasure requirements for the device are based upon the sensitivity of the data as determined during the data assessment process:
- None (Unclassified) – No requirement to erase data. However, in the interest of prudence normally erase the data using any available means such as software based sanitization, physical destruction, or degaussing.
- Low (Sensitive) – Erase the data using any available means such as sanitization, physical destruction, or degaussing.
- Medium (Confidential) – The data must be erased using an approved technology in order to ensure that data is not recoverable using advanced forensic techniques.
- High (Secret) – The data must be erased using an approved technology to ensure that the data is not recoverable using advanced forensic. Approved technologies are to be specified in a Media Data Removal Procedure document. Asset types include:
- Floppy disk
- Memory stick
- CD ROM disk
- Storage tape
- Hard drive.
- RAM memory
- ROM memory or ROM memory devices.
3) Media Use
This policy defines the types of data that may be stored on removable media, whether that media may be removed from a physically-secure facility, and under what conditions such removal would be permitted. Removable media includes the following:
- Floppy disk
- Memory stick
- CD ROM disk
- Storage tape
Removable media should be handled according to the sensitivity of data stored on the device as determined by the data assessment process:
- Unclassified – Data may be removed with approval by the first level manager and the permission is perpetual for the employee throughout the duration of employment unless revoked. The device may be sent to other offices using any
public or private mail carrier.
- Sensitive – Data may only be removed from secure areas with the permission of a director level or higher level of management. Approvals are effective on a onetime bases only.
- Confidential – The data may only be removed from secure areas with the permission of a Vice President or higher level of management. Procedures for maintain data security while in transit and at the new destination of the media must
- Secret – The data may only be removed from secure areas with the permission of the President or higher level of management. Procedures for maintain data security while in transit and at the new destination of the media must be documented
- Top Secret – The data may never be removed from secure areas.
4. Control of Media
A factor influencing a sanitization decision is who has control and access to the media. This aspect must be considered when media leaves organizational control. Media control may be transferred when media are returned from a leasing agreement or are being donated or resold to be reused outside the organization. The following are examples of media control:
- Under SE Control:
- Media being turned over for maintenance are still considered under the entity’s control if contractual agreements are in place and the maintenance provider specifically provides for the confidentiality of the information.
- Maintenance being performed on an entity’s site, under the entity’s supervision, by a maintenance provider is also considered under the control of the entity.
- Not Under Entity Control:
- Media that are being exchanged for warranty, cost rebate, or other purposes and where the specific media will not be returned to the entity are considered to be out of the entity’s control.
5. Reuse of Media
Entities should consider the cost versus benefit of reuse. It may be more cost-effective (considering training, tracking, and validation, etc.) to destroy media rather than use one of the other options.
6. Clear / Purge / Destroy
|Clear||One method to sanitize media is to use software or hardware products to overwrite user- addressable storage space on the media with non-sensitive data, using the standard read and write commands for the device. This process may include overwriting not only the logical storage location of a file(s) (e.g., file allocation table) but also should include all user- addressable locations. The security goal of the overwriting process is to replace Target Data with non-sensitive data. Overwriting cannot be used for media that are damaged or not rewriteable and may not address all areas of the device where sensitive data may be retained. The media type and size may also influence whether overwriting is a suitable sanitization method. For example, flash memory-based storage devices may contain spare cells and perform wear levelling, making it infeasible for a user to sanitize all previous data using this approach because the device may not support directly addressing all areas where sensitive data has been stored using the native read and write interface. The Clear operation may vary contextually for media other than dedicated storage devices, where the device (such as a basic cell phone or a piece of office equipment) only provides the ability to return the device to factory state (typically by simply deleting the file pointers) and does not directly support the ability to rewrite or apply media-specific techniques to the non-volatile storage contents. Where rewriting is not supported, manufacturer resets and procedures that do not include rewriting might be the only option to Clear the device and associated media. These still meet the definition for Clear as long as the device interface available to the user does not facilitate retrieval of the Cleared data.|
|Purge||Some methods of purging (which vary by media and must be applied with considerations described further throughout this document) include overwrite, block erase, and Cryptographic Erase, through the use of dedicated, standardized device sanitize commands that apply media-specific techniques to bypass the abstraction inherent in typical read and write commands. Destructive techniques also render the device Purged when effectively applied to the appropriate media type, including incineration, shredding, disintegrating, degaussing, and pulverizing. The common benefit across all these approaches is assurance that the data is infeasible to recover using state of the art laboratory techniques. However, Bending, Cutting, and the use of some emergency procedures (such as using a firearm to shoot a hole through a storage device) may only damage the media as portions of the media may remain undamaged and therefore accessible using advanced laboratory techniques. Degaussing renders a Legacy Magnetic Device Purged when the strength of the degausser is carefully matched to the media coercivity. Coercivity may be difficult to determine based only on information provided on the label. Therefore, refer to the device manufacturer for coercivity details. Degaussing should never be solely relied upon for flash memory-based storage devices or for magnetic storage devices that also contain non-volatile non-magnetic storage. Degaussing renders many types of devices unusable (and in those cases, Degaussing is also a Destruction technique).|
|Destroy||There are many different types, techniques, and procedures for media Destruction. While some techniques may render the Target Data infeasible to retrieve through the device interface and unable to be used for subsequent storage of data, the device is not considered Destroyed unless Target Data retrieval is infeasible using state of the art laboratory techniques. Disintegrate, Pulverize, Melt, and Incinerate. These sanitization methods are designed to completely Destroy the media. They are typically carried out at an outsourced metal Destruction or licensed incineration facility with the specific capabilities to perform these activities effectively, securely, and safely.Shred. Paper shredders can be used to Destroy flexible media such as diskettes once the media are physically removed from their outer containers. The shred size of the refuse should be small enough that there is reasonable assurance in proportion to the data confidentiality that the data cannot be reconstructed. To make reconstructing the data even more difficult, the shredded material can be mixed with non-sensitive material of the same type (e.g., shredded paper or shredded flexible media). The application of Destructive techniques may be the only option when the media fails and other Clear or Purge techniques cannot be effectively applied to the media, or when the verification of Clear or Purge methods fails (for known or unknown reasons).|
Entities must test a representative sampling of media for proper sanitization to assure that proper protection is maintained.
8 Verification of Equipment
If the entity is using sanitization tools (e.g., a degausser), the entity must have procedures to ensure that the tools are operating effectively.
9 Verification of Personnel Competencies
Entities must ensure that equipment operators are properly trained and competent to perform sanitization functions.
Entities must maintain a record of their sanitization to document what media were sanitized, when, how they were sanitized, and the final disposition of the media.
3.4 Employee Purchase of Disposed Equipment
- Equipment which is working, but reached the end of its useful life to XXX, will be made available for purchase by employees.
- A lottery system will be used to determine who has the opportunity to purchase available equipment.
- All equipment purchases must go through the lottery process. Employees cannot purchase their office computer directly or “reserve” a system. This ensures that all employees have an equal chance of obtaining equipment.
- Finance and Information Technology will determine an appropriate cost for each item.
- All purchases are final. No warranty or support will be provided with any equipment sold.
- Any equipment not in working order or remaining from the lottery process will be donated or disposed of according to current environmental guidelines. Information
- Technology has contracted with several organizations to donate or properly dispose of outdated technology assets.
- Prior to leaving XXX premises, all equipment must be removed from the Information Technology inventory system.
3.5 Waste Disposal
Computer monitors, printers, scanners and fax machines are defined as hazardous waste due to the metals and chemicals used in their construction, and arrangements for their disposal must be handled in compliance with the organisation’s waste policies. This organisation must comply with its requirements under the Waste Electronic and Electrical Equipment Directive (WEEE). Small amounts of obsolete or broken IT equipment that has been effectively wiped of any data or does not contain any data storage potential can be disposed of through the electrical waste stream at a municipal site, or disposed of via the manufacturer or an electrical supplier. IT equipment must never be disposed of through general waste routes. It is illegal to mix computer waste with general waste or to send untreated computer waste to landfill.
4.0 Policy Compliance
4.1 Compliance Measurement
The IT team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exception to the policy must be approved by the IT team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.