Purdue IT Policies

Purdue IT Policies Resnet Policies Data Classification and Handling Security Policy Exception Procedure Draft IT Policies
Standards Guidelines Procedures Best Practices

Other Compliance Activities

Copyright/HEOA Information HIPAA Compliance Information Information Security Program Committee Port Restriction Plan
SecurePurdue > Best Practices > Media Disposal Guidelines

Media Disposal Guidelines

View PDF for print

These guidelines are intended to support Purdue University Policy on Electronic Media Disposal, as well as the Data Handling Requirements as issued by the University Data Stewards.
  1. Disposal Guidelines for Paper-Based Media
    1. The proper media disposal technique for any paper based documentation must match the highest classification of data that is contained in that document.   Therefore, a document containing both University classified sensitive and restricted data must be disposed of in the manner required for the disposal of restricted data.
    2. Existing Departmental Managers are responsible for overseeing paper-based document disposal in his or her area.
    3. Destruction methods for paper-based documentation includes use of the Purdue University Confidential Material Recycling Program, and other methods such as shredding (cross-cut shredding is best), disintegration, incineration, and pulverization.
  2. Disposal Guidelines for Electronic-Based Media
    1. The proper media disposal technique for any IT Resource or Storage Device must match the highest classification of data which is contained on that device. Therefore, a floppy disk containing both University classified sensitive and restricted data must be disposed of in the manner required for the disposal of restricted data.
    2. Existing Departmental Managers are responsible for overseeing compliance with data and disk disposal in his or her area.
    3. For storage devices to be repurposed for University use, a form confirming the multiple pass/DoD secure overwrite should be completed and kept with the device until it is installed in an operational system and prepared for usage. See sample form attached.
    4. Media disposal and wipes should follow the matrix and legend below. Note that additional requirements may be specified for the physical destruction of storage devices not repurposed for University use.
      1. At a minimum, storage devices containing data at the “sensitive” classification level (and below) should utilize the Clear/Wipe (Securely Deleting Data) standard.
      2. At a minimum, storage devices containing any amount of restricted data should utilize the Sanitize standard.
      3. As technology rapidly changes and it may not be possible to name every conceivable type of storage device available, employees are reminded to utilize a proper disposal method for the underlying classification of data contained on the storage device.

     

    Media

    Clear/Wipe
    (Securely Deleting Data)

    Sanitize

    Rewriteable media (floppies, tape, hard drive, flash drives, etc)

    • At Least 2 Pass Overwrite
    • Multiple pass / DoD secure overwrite
    • Physically destroy media if not repurposed for University use

    Optical media (CD-RW, DVD-RW, DVD+RW, CD-R, DVD-R, etc)

    • Physically destroy media
    • Physically destroy media

     

    Notes

    • 2 Pass Overwrite:   Overwrite all addressable locations with 2 different characters.
    • Multiple pass / DoD secure overwrite :   Overwrite all addressable locations with a character, its complement, then a random character and verify.
    • Destroy:   Disintegrate, incinerate, pulverize, shred, or melt.
  3. Related Documents
    1. Purdue University Data Handling Requirements, available at:   http://www.purdue.edu/securepurdue/bestPractices/dataClass.cfm
    2. Proper Disposal of University Data Policy, available at:   http://www.purdue.edu/policies/pages/information_technology/v_1_5.html
    3. Data Destruction Awareness and You information, available at: http://www.purdue.edu/securepurdue/datadestruction/
    4. Student Services Technology Media Disposal Service Offering: http://www.purdue.edu/SSTA/workstationtechnology/services/mediadisposal.php
    5. The National Industry Security Program (U.S. Department of Defense 5220.22M Cleaning and Sanitizing standard), available at:   http://www.dss.mil/isp/odaa/nispom06.html
    6. NIST Special Publication 800-88, Guidelines for Media Sanitization.   Issued September 2006. Available at: http://csrc.nist.gov/publications/nistpubs/#sp800-88
    7. ISO/IEC 17799:2005(E), Code of Practice for Information Security Management, Control 10.7.2 (Disposal of Media).                                                                                               
    Electronic Data Disposal Verification Form

    Document Destruction Operating Plan

    Issued 9/25/2006 from Purdue University Security Officer's Group and IT Security & Privacy. Questions about these guidelines can be addressed to itap-securityhelp@purdue.edu.