Surplus Electronic Media Disposal (SS-08-034)
Topics:
SS-08-034 Surplus Electronic Media Disposal
Issue Date: 3/31/2008
Revision Effective Date: 3/31/2008
Review Date: 7/1/2018
PURPOSE
Information systems capture, process and store information using a wide variety of media. This information is not only located on the intended storage media but also on devices used to create, process or transmit this information and requires special disposition in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality.
Deleting and reformatting media leaves behind residual magnetic, optical, electrical or other representations of data which may allow unauthorized individuals to reconstruct the data and potentially gain access to sensitive information.
When storage media are transferred, become obsolete or are no longer usable or required by an information system it is important to ensure that residual representation of sensitive data is not easily recoverable.
STANDARD
When no longer required, the contents of surplus storage media (e-surplus) shall be certified as destroyed or unrecoverable (sanitized) in accordance with applicable State, Federal or agency record retention requirements and DOAS Electronic Equipment Disposal Policy.
Sanitization or destruction of all surplus or vendor return electronic media shall be documented and certified, in writing, by the Agency head or designee.
Delegation of certification authority shall be in writing from the agency head and shall remain on file available upon request.
Certification records shall be retained as part of the IT property management program and shall include what media was sanitized/destroyed (serial numbers, manufacturer, mode etc), date of sanitization, data classification, sanitization method (clear, purge, destroy) and final disposition (vendor return, resale, donate etc).
RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES
Media Sanitization – Vendor Return (SS-08-035)
REFERENCES
DOAS Electronic Equipment Disposal Policy
NIST SP800-88 Guidelines Media Sanitization
NIST SP800-36 Guide to Selecting Information Technology Security Products
TERMS and DEFINITIONS
E-surplus – Electronic equipment that is no longer needed by the owning agency or has exceeded its useful life.
- This term shall also be used to cover all forms of storage media including but not limited to: electronic, magnetic, optical or other representation of data
Electronic Media – Any electronic equipment that uses non-volatile memory to store data. (Examples include but are not limited to: Desktop computers, laptop/notebook computers, network servers, Network Storage Devices, PDAs, Network routers and switches, Digital copiers, scanners, printers, and faxes)
Sanitization - Refers to the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and/or reconstructed.
Clear – Refers to a level of media sanitization that protects the information against a robust keyboard attack. Clearing must render the information irretrievable by data, disk or file recovery utilities. It must be resistance to keystroke recovery attempts and data scavenging tools. (Example: overwriting)
Purge – Refers to a media sanitization process that protects information against a laboratory attack using non-standard systems to conduct data recovery attempts on media outside their normal operating environment. (Example: degaussing)
Destruction – Ultimate form of sanitization. Media cannot be reused as originally intended and any residual medium should withstand a laboratory attack. (Examples: incineration, melting, shredding)
Certification – Refers to the process of verifying that media has been sufficiently sanitized and/or destroyed and methods used satisfactorily meet requirements.