Media Sanitization Standard
Purpose
The purpose of this standard is to outline the proper methods by which to sanitize media prior to its disposal, release, or reuse (for both digital and paper media). Proper media sanitization ensures university information is not unintentionally disclosed to unauthorized viewers.
Scope
This standard applies to all university faculty, staff, students, and any individuals who have access to university data, such as retired or emeritus staff and faculty, contractors, or volunteers.
Standard
There are two primary types of media: physical copy (paper, and electronic copy (digital)). With the ever-evolving state of technology, a current inexhaustible list of media cannot be maintained. As such, the concept of sanitization refers to the information contained on the media. Regardless of the type, media should be properly sanitized prior to its release for reuse or destruction by the individual responsible for the data. Each individual responsible for the data is also responsible for classifying their data in accordance with university policy 93.001 Data Classification to determine the appropriate sanitization method. Failure to comply with proper sanitization methods for the corresponding classification may result in a breach and violation of university policy 91.005 . The Information Security Office can consult on the appropriate sanitization method for sensitive data if needed.
Sanitization Methods
The National Institute of Standards and Technology (NIST) provides industry standards as a baseline for sanitizing media. Per , 鈥淪anitization refers to a process that renders access to target data on the media infeasible for a given level of effort.鈥 The following methods are identified by NIST as being appropriate for most data. For specific guidelines associated with the media reference .
- Clearing is the technique for overwriting the entirety of the storage to render the sensitive data unreadable. For electronic copy this can be done with a standard erase procedure or by factory resetting the device so long as the interface presented to a user cannot allow for data recovery. There are no clearing techniques for physical copy.
- Purging is the technique for erasing data in a way that it鈥檚 infeasible to recover the data even with the most advanced laboratory techniques.
- For electronic copy this can be done with 3rd party software (for example DBAN, CCleaner, or Eraser) or through crypto-graphical erasing, so long as it is consistent with recommended techniques from NIST 800-88.
- There are no purging techniques for physical copy.
- Destroying is the technique for obliterating any feasible opportunity at recovering any data on the media by rendering it unusable.
- For electronic copy this is done through first clearing or purging the drive, then physically destroying the media so that it can no longer be used for data storage. University Surplus and Moving has a process for destroying electronic copy, and as such will provide the unit with a certificate of destruction upon completion.
- For physical copy, destruction can be accomplished via a cross-cut shredder, pulverizer, incinerator, or disposal with a contracted third-party document destruction company.
Media Sanitization
Below are the recommended sanitization techniques for data classified in accordance with University policy 91.003 Data Classification.
Sanitization Method | Low Data Sensitivity | Medium Data Sensitivity | High Data Sensitivity |
Clearing | Recommended | Required | Required |
Purging | Optional | Recommended | Required |
Destroying | Optional | Optional | Required |
References
- Policy 91.003 Data Classification
- Policy 91.005 Information Security
- Policy 93.002 Records Management and Archiving
- Policy 91.006 Information Security Risk Management
- NIST 800 Series Publications
Exceptions
All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.
Request an exception
Complete Exception request form.
Governance
This standard will be reviewed and approved by the university Information Security Office as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.
Reviewers
The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:
Information Technology: Ed Carter (Chair)
Human Resources: Michael Courtney
Faculty: Hans Kruse
Senior Associate Dean: Brian McCarthy
Finance and Administration: Julie Allison
Faculty: Shawn Ostermann
Regional Higher Education: Larry Tumblin
Research and Sponsored Programs: Susan Robb
Enterprise Risk Management and Insurance: Larry Wines
History
Draft versions of this policy were circulated for review and approved on November 2, 2023.