Information Technology Procedures

UMB Procedure for Disposal of Media Containing Sensitive Data

Information Technology   |   Approved June 15, 2018

Purpose

To provide instructions for the proper removal and disposal of Data Storage Devices from UMB IT assets.  Data Storage Devices may contain media on which personal, confidential, and legally protected information (“Sensitive Data”) is stored.  This procedure implements X-99.08(A) UMB Policy on Disposal of Media Containing Data.

Applicability

This Procedure applies to personnel in UMB schools and administrative units involved in the management of Data Storage Devices including data storage media in workstation computers, laptops, servers, cell phones, multi-function printer/copiers and removable devices (such as USB drives, pen drives, thumb drives, flash drives, and memory sticks). This Procedure applies to all UMB schools, departments, units, faculty, and staff.

Individuals who have been identified and assigned as Inventory Disposal Personnel for schools and administrative units are the key points of contact when disposing of Data Storage Devices.  The Asset Disposal System website provides a list of UMB Inventory Disposal Personnel and the area(s) that they support.    

Instructions

  1. The school or administrative unit begins the disposal process by taking an inventory of Data Storage Devices, and determines which assets need to be removed from inventory.
  2. After Data Storage Devices have been identified for disposal, the Inventory Disposal Personnel assigned to that area should be contacted. The Inventory Disposal Personnel will assist with preparing the Data Storage Devices for disposal.
  3. Inventory Disposal Personnel will enter the following required information into the UMB online system for each Data Storage Device removed from service and identified for disposal, and submit the request
    • Asset Type Removed (Hard Drive, Smartphone, Laptop, Tablet, Desktop Computer, etc.);
    • Date asset was removed;
    • Individual who removed the asset;
    • School or unit where the asset was removed;
    • Serial number of asset.  In some cases an asset may not have a serial number.  If it is “non-serialized” equipment, it should be noted as N/A;
    • Parent serial number if the hard drive was removed and is not being disposed of with the rest of the system (ensure serial number of parent system is noted on the hard drive);
    • Barcode (if available);
    • Whether the item was a tracked capital asset;
    • Asset tag number (capital/non-capital);
    • Reason for removal;
    • Item location.
  4. The Surplus Property Division of Strategic Sourcing and Acquisition Services (“SSAS”) receives the online request and coordinates with the Inventory Disposal Personnel to schedule a pick-up of the Data Storage Devices to be removed.   
  5. If a Data Storage Device is rejected by the Surplus Property Division at the time of pickup, Surplus Property informs the Inventory Disposal Personnel supporting that area why the Data Storage Device was rejected.  Inventory Disposal Personnel proceed to correct the issue(s) with the Data Storage Device and re-submit the disposal request.
  6. After the Surplus Property Division collects a Data Storage Device, it is stored securely by UMB until UMB’s contractor for disposal of Data Storage Devices (“disposal contractor”) can carry out the destruction or other disposition of the device.
  7. The UMB disposal contractor will record in the contractor’s system the details of the destruction or disposition of each Data Storage Device handled by the contractor and will generate a report for Surplus Property that includes any needed certification.  The disposal contractor must sanitize any Data Storage Device it collects that is not being destroyed. The UMB Office of General Accounting receives a report from the disposal contractor identifying each Data Storage Device handled by the contractor that UMB has classified as a capital asset.

If a Data Storage Device will be reused or repurposed within UMB, or will be donated by UMB, e.g., to another state agency, the Data Storage Device must be sanitized by UMB.  The school or unit that is disposing of the Data Storage Device should contact its assigned Inventory Disposal Personnel for assistance in sanitizing the Data Storage Device.  Specific procedures for sanitizing media in accordance with the NIST “Guidelines for Media Sanitization” are included in Appendix A.

Any Data Storage Device that is sanitized for later use must be recorded on the school or unit Sanitization Validation Form and the form must be retained for three years for audit verification.

The Sanitization Validation Form in Appendix B outlines the information to be documented and retained. 

Downloads

Appendix ANIST Special Publication 800-88, Revision 1

Guidelines for Media Sanitization

 

Equipment Type

 

 

Procedures for Sanitizing Media

 

 

Copy Machines

Perform a full manufacturer’s reset to reset the copy machine to its factory default settings.

** Contact the manufacturer for proper sanitization procedure.

 

Fax Machines

Perform a full manufacturer’s reset to reset the fax machine to its factory default settings.

** Contact the manufacturer for proper sanitization procedures.

 

Floppy Disks

 

 

Overwrite media by using agency-approved software and verify that the data have been overwritten.

 

Hard Drives

 

 

Overwrite media by using agency-approved software and verify that the data have been overwritten.

 

USB Removable Media (Pen Drives, Thumb Drives, Flash Drives, Memory Sticks) with Hard Drives

 

 

Overwrite media by using agency-approved software and verify that the data have been overwritten.

 

Mobile Devices (including cell phones)

Manually delete all information, such as calls made and phone numbers, then perform a full manufacturer’s reset to reset the mobile device back to its factory default settings.

** Contact the manufacturer for proper sanitization procedure.

 

Appendix BSanitization Validation Form

Identifying Asset Information

Asset Sanitized

Date Sanitized

Sanitized  By

(Individual)

School ID (refer to school/dept. list)

Serial Number

Barcode,

if available

Capital Asset

y/n

 

Asset Tag

Reason for Sanitization

 

Item Location

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Fill out my online form.