Data Sanitization

I. POLICY:

It is the policy of the Division of Administration (DOA) that all magnetic storage devices, optical storage media and non-volatile memory devices that are surplused, transferred to another government entity, or subject to disposal, must have all security-sensitive data removed prior to being transferred or disposed.

II. PURPOSE:

The purpose of this policy is to prevent unauthorized disclosure of confidential or sensitive information residing on computer storage media.

III. APPLICABILITY:

This policy shall apply to all sections within the DOA.

IV. PROCEDURE:

Any computer storage media containing security-sensitive data shall be sanitized prior to its disposal or transfer to another agency. The approved means of sanitization are specified in statewide information technology policy and may include securely overwriting, degaussing, or physically destroying the storage media. Where feasible, personal computer hard drives shall be sanitized using a secure overwrite program. Tapes and bulk media or media requiring quick destruction or special handling may require use of a degausser or physical destruction. A permanent data sanitization log shall be maintained, identifying the medium, date, time and method of sanitization.

V. RESPONSIBILITY:

The Office of Computing Services is responsible for:

Sanitizing all computer equipment that it disposes of, or transfers to another agency.

Ensuring that all data sanitization methods it employs are consistent with state information technology standards and DOA policy.

Performing (upon request) data sanitization for property owned by DOA ancillary agencies. Following removal of security-sensitive data, any property tagged by ancillary sections shall be returned to the ancillary section for transfer/disposal.

Appropriated Sections are responsible for:

Identifying media that contain security sensitive data and shall provide such media to Computing Services for sanitization.

Ancillary Sections are responsible for:

Identifying computer media that contain security-sensitive data, and either (a) sanitizing the media in accordance with state and DOA policy, or (b) requesting that Computing Services sanitize the media, prior to the section transferring or disposing of the media.

VI. EXCEPTIONS:

Requests for exceptions to this policy should be submitted to the Appointing Authority along with specific and compelling justification.

VII. QUESTIONS:

Questions regarding this policy should be directed to the Office of Computing Services.