Equipment and Media Disposal Policy

Version: 1.00Issue Date: 12/8/2014

This is an example Equipment and Media Disposal Policy. An Equipment and Media Disposal Policy is required to prevent loss of data due to insufficient data removal methods or lack of data removal from equipment being removed from service. In addition, this policy helps ensure that information is updated when equipment is disposed of so assets are tracked accurately.

1.0 Overview

All employees and personnel that dispose of any organizational equipment or equipment containing organizational data must adhere to the Equipment and Media Disposal Policy defined below in order to protect the security data stored on the media or equipment.

2.0 Purpose

This Equipment and Media Disposal Policy is designed to protect organizational data stored on the equipment or media being removed from service. This policy is intended to protect the public and the organization by protecting data to meet confidentiality and privacy requirements. This Equipment and Media Disposal Policy requires the asset tracking database be kept up to date as equipment is removed from service.

3.0 Scope

This Equipment and Media Disposal Policy applies to all members of the organization or anyone using organizationally owned or leased equipment whether they are a contractor, vendor, employee, business partner or any other third party. This policy covers transfers or disposals of equipment or storage media including any transfer to a different security area. This Equipment and Media Disposal Policy does apply to information stored on paper. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Equipment/Media Transfer/Disposal

This Equipment and Media Disposal Policy requires any media that can store data that is inside equipment and media that is intended as a storage device be properly treated before transfer or disposal so the data that was stored cannot be read by a third party. Storage media includes but is not limited to:

  • Hard Drives
  • Temporary storage drives
  • Tapes with data stored on them including system backup data.
  • Floppy disks
  • CD ROM disks
  • Memory sticks
  • Smart cards
  • key fobs

Equipment that may have storage media inside it includes but is not limited to:

  • Servers
  • Network Switches
  • Routers
  • Desktop workstations
  • Laptops and notebooks
  • PDAs

5.0 Media Treatment for Data removal or destruction

The media being transfered or disposed of must have data securely removed/destroyed. Any asset which can store data must have any sensitive data removed prior to disposal. The manager of the user of the asset must determine what the level of maximum sensitivity of data stored on the device is. The actions for the device based on data sensitivity according to the data assessment process are shown below.

  1. None (Unclassified) - No requirement to erase data but in the interest of prudence normally erase the data using any means such as reformatting or degaussing.
  2. Low (Sensitive) - Erase the data using any means such as reformatting or degaussing.
  3. Medium (Confidential) - The data must be erased using an approved technology to make sure it is not readable using special high technology techniques.
  4. High (Secret) - The data must be erased using an approved technology to make sure it is not readable using special high technology techniques. Approved technologies for erasing data are specified in a Media Data Removal Procedure document by asset type including:
    1. Floppy disk
    2. Memory stick
    3. CD ROM disk
    4. Storage tape
    5. Hard drive.
    6. RAM memory
    7. ROM memory or ROM memory devices.

A data removal procedure must be created and followed. The procedure must specify a process for removal of data for all sensitivity levels or follow the procedure for the most sensitive level.

6.0 Asset Tracking

If the asset is moved, the asset tracking database must be updated to reflect the change. If the asset is disposed of, the asset tracking database must be updated to reflect the change. The date of disposal and method of disposal shall be recorded. The asset is not immediately removed from the database but will remain in the database for at least one year and may be removed after that time.

7.0 Responsibility

The data custodian shall be responsible for ensuring that the device is turned over to the correct staff (specify position name) to properly remove data when a device is being moved or disposed of. The staff performing the procedure must log receipt of the device, the person who delivered it, the date and time of delivery, the date and time the data destruction was performed, the destruction method or procedure used, and who the device was delivered to after data was removed. The staff performing the procedure will update the asset tracking database to reflect the change.

8.0 Printed Media

Any paper containing sensitive or confidential information must be shreaded. The responsibility for being sure the item is securely disposed of is the person in possession of the paper document. Depending on the level of sensitivity of the information, the type and thoroughness of the shreading may vary. Information with a greater degree of sensitivity should be shreaded so the paper is in little pieces rather than strips.

If paper documents with sensitive information is not immediately shreaded, locked waste containers must be utilized until the documents are shreaded. Locked waste containers must be readily available and clearly marked with the locks controlled by trusted personnel. Trusted personnel must transport the contents of containers to a secure environment for shredding or destruction.

9.0 Temporary Files

All systems should be configured so temporary files that store sensitive data are immediately removed or overwritten when they are no longer required. This includes temporary files used when secure web sites are visited. When the session expires or is completed, the temporary files must be deleted.

10.0 Enforcement

Since proper disposal of media which may contain sensitive data is critical to the security of the organization, employees that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

11.0 Additional Policies

  • Asset Control Policy
  • Change Management Policy

11.0 Additional Requirements

  • Senior management must ensure that this policy is published and users agree to abide by the policy.
  • Auditors must periodically check to be sure this policy is being followed and the asset disposal procedure is effective.
  • Auditors will check the accuracy of the inventory database every six months.
  • The asset transfer procedure must be kept up to date to reflect current business practices and needs.
  • A data removal procedure reflecting processes for removal of data sensitivity of various sensitivity levels must be created. The process must consider the technologies used to erase the data securely on various media.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________