Electronic Data Disposal

Issued by: The Office of the Provost

• Electronic Data Disposal Verification Form
• DoD-Compliant Disk Sanitation Software
  

Policy

All computer systems, electronic devices and electronic media must be properly cleaned of sensitive data and software before being transferred outside of Auburn University either as surplus property or as trash.

 

Computer hard drives must be sanitized by using software that is compliant with Department of Defense standards. Non-rewritable media, such as CDs or non-usable hard drives, must be physically destroyed.

 

The primary responsibility for sanitizing computer systems, electronic devices and media rests with the units that purchase them.

 

Procedures

1. Deans, Directors and Department Heads are responsible for the sanitation of all AU-owned electronic devices and computer systems in their units prior to removal from the AU campus. This responsibility may be delegated within the college as deemed appropriate. University units may also contract with OIT Computer Support for disk sanitation services based on the standard hourly service rate.
   
   
2. The AU Lease Program, administered by the Office of Information Technology, is responsible for the sanitation of all AU Lease computer systems as part of the end-of-lease processing.
   
   
3. All University employees are responsible for the sanitation of non-reusable electronic media before disposal. Similar to shredding paper reports, CDs and other non-rewritable media should either be broken or defaced by scratching before disposal.
   
   
4. The Office of Information Technology is responsible for publishing this policy, associated forms, and a list of DoD-compliant disk sanitation software on the Information Technology website.
   
   
5. Property Services is responsible for the disposition of surplus computer systems and electronic devices. Any computer system or device sent to Property Services for disposition must have an Electronic Data Disposal Verification form (available from the IT website) affixed to it indicating that the system has been sanitized, the date, the name and phone number of the person responsible for sanitizing the system. Property Services will not accept any computer system without this information. If the original operating system media and certificate of license are available, they should also be sent to Property Services with the computer system.
   
   
6. Any disposal of computer systems and media must comply with all environmental regulations.

Background

A large volume of electronic data is stored on computer systems and electronic media throughout the University. Much of this data consists of confidential and sensitive information, including student records, financial data, personnel records, and research information. Auburn University is covered by several federal laws that set forth responsibilities for protecting this information, including the Family Educational Rights and Privacy Act (FERPA), the Federal Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act. In addition, copyright laws and software license agreements protect vendor rights regarding the use of software. Much of the software at AU is licensed under special academic licensing agreements which prohibit the transfer of this software outside of the University.

 

Unauthorized disclosure of sensitive information may subject the University to legal liability, negative publicity, monetary penalties, and the possible loss of funding. All sensitive information and licensed software must be properly removed when disposing of computer systems with hard drives, PDAs, and removable media, such as CDs, DVDs, USB drives, Zip disks, diskettes, tapes and smart cards.

 

Many studies of disk sanitation indicate that simply deleting files from the media or formatting a hard drive is not sufficient to completely erase data so that it cannot be recovered (see http://www.computer.org/security/v1n1/garfinkel.htm). These studies generally recommend two methods for disk sanitation.

 

The first method is the destruction of the media either by physical force or by electromagnetic degaussing. However, destroying a hard drive lessens the value of the computer system for any other use and conflicts with a June 2003 resolution by the AU Board of Trustees that allows certain surplus property (including computers) to be transferred to Alabama Public Schools and State Agencies to provide "the greatest possible value to the taxpayers of Alabama for the redistribution of Auburn University's surplus items of property."

 

The second method of disk sanitation is overwriting all previously stored data with a predetermined pattern of meaningless information, such as a binary pattern, its complement, and an additional third pattern. This has been detailed in the US Department of Defense National Industrial Security Program Operating Manual DoD 5220.22-M (see http://www.dss.mil/isec/chapter8.htm). There are several commercially available software products that comply with this standard.