POLICY #: IT- 21
DATE DRAFTED: 02/17/06
BRIEF DESCRIPTION:University of Iowa policy regarding the proper transfer, disposal and/or reuse of computers and other digital storage media.
Digital storage devices which contain licensed software programs and/or institutional data must be reliably erased and/or destroyed before the device is transferred out of University control or erased before being transferred from one University department or individual to another. The University of Iowa is committed to compliance with federal statutes associated with the protection of confidential information as well as ensuring compliance with software licensing agreements.
All constituents of The University of Iowa have a responsibility to ensure the confidentiality of federally regulated and otherwise protected sensitive or proprietary information residing on University-owned computer systems and other digital storage devices and media. All computers and digital storage devices including, but not limited to desktop workstation, laptop, server, notebook, and handheld computer hard drives; external hard drives; and all external data storage devices such as disks, SANs, optical media (e.g., DVD, CD), magnetic media (e.g., tapes, diskettes), and non-volatile electronic media (e.g., memory sticks), are covered under the provisions of this policy.
1. University-owned computer and digital storage media must have all institutional data and licensed software reliably erased from the device prior to its transfer out of University control, and/or the media must be destroyed, using current best practices for the type of media. Delete, Remove, and Format operating system commands, as well as disconnecting or clipping wires to a drive, do *not* actually erase data from the media, and therefore are not acceptable methods for preparing media for transfer or disposal.
2. All computer and digital storage media leaving the University’s possession and/or control while still intact must be transferred in accordance with the University of Iowa Equipment policy (Operations Manual Part V, Chapter 12), which covers both tagged and non-tagged equipment.University Surplus will request documentation attesting to the erasure of licensed software and institutional data by an approved IT service provider. Otherwise, they will either perform the erasure of data according to approved procedures prior to release (e.g., sale, donation) of the computer or digital storage media or they will be responsible to destroy the media.
3. Departments may be approved to erase computer and digital storage media for transfer within the University, and/or to destroy media, using approved best practices developed by the University Information Security & Policy Office (ISPO). The University ISPO will work with the appropriate department IT staff to ensure that procedures consistent with security best practices are followed for the reliable removal of licensed software and confidential data before equipment transfers take place. Otherwise, departments must engage a campus IT service provider approved by the ISPO to prepare media for transfer or disposal.
4. Computer and electronic storage equipment identified for title transfer must be reviewed and then subsequently cleaned by an IT service provider approved to perform data erasing. Licensed software and institutional data deemed to be the property of the University of Iowa must be removed prior to title transfer of equipment from the University.
5. Computer and digital storage media which are included as part of a trade-in purchase must be identified on the purchase order for new equipment.Documentation attesting to the erasure of licensed software and institutional data by an approved IT service provider will be required in order to complete the purchase. The University must have a confidentiality agreement in place with any vendor receiving devices for trade-in, or that must be replaced as part of a warranty or repair contract but which can not be erased for technical reasons.
Related Policies, References and Attachments:
The collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.
Information technology policies are incorporated into the University of Iowa Operations Manual (available online at http://www.uiowa.edu/~our/opmanual/index.html), through the Policy on Acceptable Use of Information Technology Resources (see http://www.uiowa.edu/~our/opmanual/ii/19.htm).
All Information technology policies are available at http://itsecurity.uiowa.edu/policy/. Best practices documents are available at http://itsecurity.uiowa.edu/resources/
Specific policies, procedures, and practices related to this policy are:
- Information Security Framework Policy - http://itsecurity.uiowa.edu/policy/policy-information-security-framework.shtml
- Institutional Data Access Policy - http://itsecurity.uiowa.edu/policy/policy-InstitutionalDataAccess.shtml
- Best Practices for Securely Removing Data from Computers and Electronic Storage Devices - http://itsecurity.uiowa.edu/bestprac/SecureRemovalofData.shtml
- Campus IT service providers certified for erasing media - http://itsecurity.uiowa.edu/bestprac/CertifiedforDisposal.shtml
- Research Data Policy (under development)