Standard for Destruction and Disposal of Electronic Equipment and Data
Reason for this Standard
The disposition of surplus computer equipment and the sanitization of the data on that equipment are addressed in NYU's Asset Management Policies and Procedures Manual. This is of special concern at NYU's global sites (also often called academic centers or study-away sites) where electronic equipment ready for disposal or repurposing cannot be returned to NYU's Asset Management Office in New York City. The purpose of this Standard is to help NYU Schools, Institutes, departments, other units in its New York location ("units"), and NYU global sites safeguard sensitive information from unauthorized disclosure, as well as to comply with software licensing agreements, state and federal data security and privacy laws, and regulations impacting the diverse global locations.
Those affected by this Standard include all NYU Schools, Institutes, departments, and other units in New York and at all NYU global sites.
Covered by the provisions of this Standard are all computers and digital storage devices including, but not limited to, desktop workstations, laptops, servers, notebooks, mobile devices, printers, and handheld computer hard drives; external hard drives; and all external storage devices, such as disks, SANs, optical media (e.g., DVD, CD), magnetic media (e.g. tapes, diskettes), and non-volatile electronic media (e.g., memory sticks).
Licensed software programs, institutional/business data, personally identified or identifiable data, and/or non-public data must be reliably erased and/or destroyed from any electronic device before the device is transferred out of University control or erased before being transferred from one University department or individual to another. Failure to properly purge data in a manner that renders the data unrecoverable may pose a significant risk to the University since data often easily can be recovered with readily available tools. In all instances, this Standard should be followed when making those decisions. Questions and/or assistance regarding this Standard should be addressed to the NYU IT Service Desk (www.nyu.edu/it/servicedesk).
- Disposal of records containing personally identified or personally identifiable information or other sensitive data
- First, each device should be evaluated to determine if the device should be sanitized or if the data on the device needs to be retained and transferred elsewhere within the University.
- No records containing personally identified or personally identifiable information including, but not limited to, Restricted, Protected, and Confidential data (see the NYU Data Classification Table here: http://www.nyu.edu/about/policies-guidelines-compliance/policies-and-guidelines/data-classification.html) shall be disposed of unless the following sanitization is accomplished:
- destroys the personal identifying information contained in the record; or
- modifies the record to make the personal identifying information unreadable; or
- follows the NYU IT sanitization methodology described below (section 2 below).
- Although not required, it is recommended that publicly-available electronic information also be removed from a device.
- Data which must be retained and transferred to a new or another device must be done in consultation with the local IT support provider.
- Licensed software and institutional data deemed to be the property of NYU must be removed prior to transfer of equipment from the University.
- Software purchased and/or deployed from NYU's site licensed program (e.g., Microsoft Office, Adobe Creative Cloud) must be retained by NYU for possible re-deployment.
- Sanitization methodology
- Deleting files from a device is a first step, but does not remove the data. Data that has been "deleted" without utilizing one of the methods listed below simply can be "undeleted."
- While it is most important to safeguard non-public University and/or personally identified or identifiable data, it often is difficult to separate specific data classifications or to determine conclusively that remnants of non-public data are not recoverable. Therefore, it is most expedient and cost-effective to purge all non-public data before re-use or disposal rather than to try to selectively sanitize the data.
- Some methods of data destruction are more complicated, time-consuming, or resource-intensive than others. Selection should be based on the underlying sensitivity of the data being destroyed.
Erasing by overwriting is an acceptable method of scrubbing data that is not sensitive or requires safeguarding. Multiple passes should be performed with random over-write patterns – not just all zeros or another single character. A minimum of three (3) overwrites is required; additional overwriting is recommended depending upon the sensitivity of the data to be erased. The products listed below are free and able to over-write Microsoft and Unix operating systems.
- Active@Kill Disk (Department of Defense Standard)
- DBAN Hard Drive Secure Wipe
- Windows Secure Eraser
- Secure Erase or Secure Empty Trash on Mac OS X 10.6.8 or later (3, 5, or 7 pass)
Degaussing is a form of de-magnetizing where the magnetic charge of an object is re-set to a magnetically neutral state, in effect erasing all the data previously written to the hard drive or tape.
In instances where the data cannot be overwritten or when degaussing is not possible, hard drives should be physically destroyed. For drives that are defective, dead, or sufficiently unresponsive that they do not complete at least a three overwrite minimum, physical destruction is required.
- Special situations may arise that prevent or make it excessively difficult to comply with this Standard. For these unique situations or challenges, contact the NYU IT Service Desk (www.nyu.edu/it/servicedesk).
- Note that a range of factors can impact the effectiveness and completeness of the overwrite operation. Transfer or re-use of the device outside of NYU is not recommended unless sanitization can be fully validated.
- Disposal process
- No computers or digital storage devices may leave the University's possession without undergoing the described sanitization methodology.
- Documentation, for potential audit purposes, attesting to the erasure of licensed software and institutional data is required in order to complete the transfer both within and external to the University, including devices for trade-in or that must be replaced as part of a warranty or repair contract. Documentation should be retained securely at each NYU unit in New York and at each NYU global site.
- Each warranty or repair contract should contain a statement regarding erasure of data on the hard drive, including a description of the vendor procedure for sanitization. If replacement is necessary as part of a warranty or repair contract and the hard drive sanitization cannot be accomplished for technical reasons, the vendor receiving the device should have a contractual agreement to enable NYU to retain the hard drive and/or a confidentiality and non-disclosure agreement in place with NYU. If neither agreement is in place, before returning the device to the vendor, NYU should remove the hard drive and ensure its destruction.
- Each NYU unit and each global site should specify the person responsible for the sanitization and disposal process at that unit or location.
- A local sanitization and disposal procedure should be created and disseminated at each NYU unit and global site. Information including, but not limited to, location of the device, sanitization date, name of responsible individual(s), disposition after sanitization, should be included. The particular procedure may be different at different locations to take account of, for example, different environments, personnel, and numbers of devices.
- The person responsible for the sanitization and disposal process at that unit or global site should evaluate the device and ensure that the data has been properly and completely removed from the hard drive before removal or re-deployment.
- The person responsible for the sanitization and disposal process at the unit or global site should document that the sanitization and disposal process is completed and securely retain the documentation. (See #3B above).
- A unit or global site requesting to retain the device beyond the re-fresh period assumes responsibility for the device.
- The device can be repurposed within NYU or outside the University once the wipe/overwrite process and the certification documentation are complete.