UMB Policy on Disposal of Media Containing Data
X-99.08(A) | Information Technology | Approved June 15, 2018 | Last Reviewed April 30, 2024
Responsible VP/AVP: Peter J. Murray, PhD, CAS, MS
Revision History
Signed November 1, 2016 by the President, effective November 14, 2016, revised June 15, 2018.
Purpose
To establish a policy for properly disposing of computer equipment and other media which contain data, in order to comply with USM audit requirements and to ensure that any sensitive data are rendered unrecoverable. Computer hard disks (including those on copy machines) may contain personal, confidential, and legally protected information that is still readable even when the files have been erased or the hard drive reformatted. Failure to destroy this information could lead to unauthorized access, identity theft, and liability to the University of Maryland, Baltimore (UMB).
Policy Statement
I. Policy Statement
A Data Storage Device may contain media on which personal, confidential, and legally protected information (“Sensitive Data”) is stored. In order to prevent unauthorized access to Sensitive Data, identity theft, and liability, University of Maryland, Baltimore (“UMB”) is committed to ensuring that before disposal of a Data Storage Device, its media are properly destroyed and stored data are unrecoverable.
II. Purposes
The purposes of this Policy are to require the proper removal of Data Storage Devices from UMB IT assets and to specify appropriate methods for the disposal of Data Storage Devices in a manner that meets IT Security Standards of the University System of Maryland (as amended from time to time).
III. Scope
This Policy applies to the disposal of all Data Storage Devices that are owned or leased by UMB, including without limitation data storage media in workstation computers, laptops, servers, cell phones, multi-function printer/copiers, and removable devices (such as USB drives, pen drives, thumb drives, flash drives, and memory sticks). This Policy applies to all UMB schools, departments, units, faculty, and staff.
IV. Responsibilities
Schools and Administrative Units
Schools and administrative units are required to follow the UMB Procedure for Disposal of Media Containing Sensitive Data (the “Media Disposal Procedure”)for the destruction or sanitizing of Data Storage Devices. “Sanitizing” means clearing the Data Storage Device of all data. The Media Disposal Procedure is also posted on the Asset Disposal System website. Schools and units are responsible for completing and submitting a Surplus Property disposal form, available online. The form is used for notifying the Surplus Property Division of Strategic Sourcing and Acquisition Services (“SSAS”) that a Data Storage Device is ready to be collected by SSAS and disposed of through the UMB contract for disposal of Data Storage Devices.
Strategic Sourcing and Acquisition Services
All copiers are to be purchased or leased through SSAS. SSAS is responsible for ensuring that all contracts for purchased or leased copiers include contract language requiring either (a) that a security feature be installed with the copier to provide secure overwriting of data, or (b) that the copier vendor perform proper destruction or sanitizing as outlined in Part VI below before the copier leaves UMB.
Surplus Property Division of SSAS
The Surplus Property Division of SSAS is responsible for collecting Data Storage Devices from schools and units upon receiving notification through a properly completed online disposal form. The form is posted online with the Media Disposal Procedure.
V. Data Storage Device Assets and Sensitive Data
The complete UMB media disposal process is described in the Media Disposal Procedure.
If a Data Storage Device will be reused or repurposed at UMB or elsewhere, the Data Storage Device first must be sanitized. Clearing and overwriting will prevent information from being retrieved by data, disk, or file recovery utilities. Specific procedures for sanitizing media in accordance with the NIST “Guidelines for Media Sanitization” are included in the Media Disposal Procedure. Sanitizing media is the responsibility of the school or unit intending to reuse or repurpose the Data Storage Device.
Any Data Storage Device that is cleared for later use must be recorded on the Sanitization Validation Form and the form must be kept by the school or unit for at least three years for audit verification as described in the Media Disposal Procedure.
VI. Copy Machines
Copy machines are often leased, returned, and then leased again or sold. As a result, there is a possibility that an unauthorized third party could access information stored on the media of the copy machine.
A security data feature must be enabled for every copy machine being used at UMB to provide secure overwriting of data. If the security data feature cannot be enabled, the vendor of the copy machine must be contacted and required to sanitize the copier prior to removal of the copier from UMB. The vendor must provide documentation stating that data destruction or sanitization has been performed, and the school or unit must retain the documentation for at least three years for audit verification purposes.
VII. Enforcement
UMB personnel who violate UMB policies or procedures may be subject to disciplinary action by UMB up to and including termination of employment. UMB Affiliate personnel who violate this Policy or the Media Disposal Procedure will be reported to the Affiliate, and may be denied UMB and Affiliate privileges. Additional consequences may be imposed by UMB, including fines or suspension of purchasing card or other privileges.
UMB and Affiliate personnel who misuse or misappropriate Sensitive Data or Data Storage Devices in violation of law may be referred for criminal investigation, possibly resulting in prosecution.
VIII. Related Policies
Section IV-99.01(A) UMB Policy Regarding Ownership, Management, and Sharing of Research Data
Section VIII-1.20(A) UMB Policy on Disposal of Surplus Personal Property