Guidelines
This guideline defines controls for the proper disposal of all Florida International University sensitive information, either in paper or electronic format.
In order to protect University data, especially Highly Sensitive Data, from inadvertent or unauthorized use or disclosure, a University department or unit disposing of equipment with storage devices must ensure that the storage devices are erased using a repeated overwrite operation, purged, degaussed, or destroyed prior to storage media being sent to surplus, reused, donated, or discarded.
Storage media may be sanitized using several methods:
- Data Overwriting Applications
- Magnetic Degaussing
- Physical Destruction
Upon completion of media sanitation procedures, the equipment must display an official sticker from the Information Security Office indicating the name of the person who performed the cleaning, the date of compliance, and the MSCID.
Media Sanitation RequestReason for Guideline
Although a large portion of University data is shared with the public, some data is restricted from unauthorized access, use or disclosure by the privacy protections mandated by state and federal laws. To comply with these mandates and to protect the University Community, the University must have procedures in place to protect, manage, secure, and control data under its purview.
This policy addresses the privacy, security, and confidentiality of University data, especially Highly Sensitive Data, and the responsibilities of institutional units and individuals for sanitation of equipment prior to its removal or disposal.
Procedures
Disposal of Hardcopy Records
Hardcopy Disposal - When disposed of, all sensitive information in hardcopy form must be either shredded or incinerated. To ensure that documents are properly destroyed, only cross-cut or micro-cut shredders will be used to shred hardcopy records containing sensitive information.
Secure Information Containers - Sensitive information that is no longer needed must be placed in a designated locked container within Florida International University offices and never placed in trash bins, recycle bins, or other publicly-accessible locations.
Litigation Hold
Destroying Documents Relevant To Litigation - If there is credible reason to believe that certain Florida International University internal documents may be needed as evidence in upcoming litigation, these documents must not be destroyed by the ongoing Florida International University document destruction process. They must instead be brought to the attention of internal legal counsel and then properly secured.
Disposal of Electronic Media
Storage Media Destruction - Destruction of sensitive information captured on computer storage media must only be performed by the Information Security Department.
Disposal of Computer Equipment
Used Component Equipment Release - Before disposal, donation, or recycling, the Information Security Department must validate that sensitive information has been removed from any information systems equipment that has been used for Florida International University business. This validation process must take place before releasing such equipment to a third party.
Information And Equipment Disposal - Department managers are responsible for the disposal of surplus property no longer needed for business activities in accordance with procedures established by the Information Security Office, including the irreversible removal of sensitive information and licensed software.
Inventory Of Decommissioned Computer And Network Equipment - Information Security Office must maintain an inventory of all Florida International University computer and network equipment that has been taken out of commission.
Labeling Required - Equipment designated for surplus or other re-use should have a label affixed stating that the hard drive has been properly sanitized.
Transfer of Hard Drives and Media
Transfer of Hard Drives - Before a hard drive is transferred from the custody of its current owner, appropriate care must be taken to ensure that no unauthorized person can access the data by ordinary means. All electronic media should be sanitized according to Florida International University procedures.
Transfer of Electronic Media - Before electronic media is transferred from the custody of the current owner, appropriate care must be taken to ensure that no unauthorized person can access data by ordinary means. Electronic media such as floppy disks, rewritable CD-ROMS, zip disks, videotapes, and audiotapes should be erased if the media type allows it or destroyed if erasure is not possible.
Attempted Recovery - Attempts to recover deleted or sanitized data must only be done by specially trained personnel approved by Florida International University management. Insofar as special recovery tools would have to be used by an individual to access the data erased by this method, any attempt by an individual to access unauthorized data would be viewed as a conscious violation of state or federal regulations and the Florida International University Confidentiality Statement.
All academic and administrative departments and offices at Florida International University including all student organizations are responsible for compliance with the FIU Media Sanitation and Property Control guidelines, as well as University policies and procedures and applicable state and federal laws. See Property Accounting's Surplus, Asset Transfer and Cannibalization Request Forms located at http://finance.fiu.edu/controller/forms.html