The disposition of surplus computer equipment and the sanitization of the data on that equipment are addressed in NYU's Asset Management Policies and Procedures Manual. This is of special concern at NYU's global sites (also often called academic centers or study-away sites) where electronic equipment ready for disposal or repurposing cannot be returned to NYU's Asset Management Office in New York City. The purpose of this Standard is to help NYU Schools, Institutes, departments, other units in its New York location ("units"), and NYU global sites safeguard sensitive information from unauthorized disclosure, as well as to comply with software licensing agreements, state and federal data security and privacy laws, and regulations impacting the diverse global locations.
Those affected by this Standard include all NYU Schools, Institutes, departments, and other units in New York and at all NYU global sites.
Covered by the provisions of this Standard are all computers and digital storage devices including, but not limited to, desktop workstations, laptops, servers, notebooks, mobile devices, printers, and handheld computer hard drives; external hard drives; and all external storage devices, such as disks, SANs, optical media (e.g., DVD, CD), magnetic media (e.g. tapes, diskettes), and non-volatile electronic media (e.g., memory sticks).
Licensed software programs, institutional/business data, personally identified or identifiable data, and/or non-public data must be reliably erased and/or destroyed from any electronic device before the device is transferred out of University control or erased before being transferred from one University department or individual to another. Failure to properly purge data in a manner that renders the data unrecoverable may pose a significant risk to the University since data often easily can be recovered with readily available tools. In all instances, this Standard should be followed when making those decisions. Questions and/or assistance regarding this Standard should be addressed to the NYU IT Service Desk (www.nyu.edu/it/servicedesk).
Effective Date Supersedes N/A Issuing Authority Vice President, Information Technology and Chief Information Officer Responsible Officer Vice President, Information Technology and Chief Information Officer
Sanitization: The process by which data (information, records) is irreversibly removed from the device or is permanently destroyed.
Binary wipe/overwrite: Software writes zeros, ones, and then a pseudo-random over existing data.
Data Classification: The NYU Data Classification table is meant to describe the confidentiality of the data in question and does not factor in the integrity or availability requirements in its rating. Note that if a piece of data fits into more than one category, it is considered to be the highest of those classes.