IT Data Disposal and Media Sanitization Standard

I. Purpose

This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It defines the requirements for proper disposal and sanitization of electronic data and media. If not properly purged from storage media, data could be reconstructed or retrieved. Storage media must be appropriately sanitized to prevent unauthorized access to, or disclosure of, institutional information.

Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with this Standard or obtain an exception in accordance with the Request for Exception to IT Security Policy.

II. Definitions

Consolidated University Unit – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.

Information Security Incident - a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.

Media Sanitization - the erasure, overwriting, or destruction of storage media to the extent that data cannot be recovered using normal system functions or software data recovery utilities.

Full IT Glossary

III. Standard

FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.

Consolidated University Units (CUUs) are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.

Controls supporting this Standard include, but are not limited to:

NIST Cybersecurity Framework and Controls

Function Category Desired Outcome
Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. PR.DS-1: Data-at-rest is protected
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. PR.IP-6: Data is destroyed according to policy
Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. PR.PT-2: Removable media is protected and its use restricted according to policy

Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.

Roles and Responsibilities

Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
Data Custodian
The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting, and use of university data resources, based on the Data Security Standard.
Data Manager
The University Unit employee(s) delegated operational oversight responsibility for data resources by the Data Custodian.

For more information, see IT Roles and Responsibilities.

Management of Media

In order to mitigate significant risk of unauthorized disclosure of FSU information, computer equipment and storage media must be properly sanitized before disposal or reassignment to prevent unauthorized access to, or disclosure of, Institutional information.

CUU and University Unit ISMs are responsible for ensuring proper sanitization and disposal of media within the Units. Data Custodians are responsible for controlling and protecting the full life cycle of electronic media, based on data risk as defined by the Data Security Standard. This includes maintaining an inventory of data and media, as well as processes for secure storage; controlled check out and return; and sanitization and disposal for all media containing High Risk or Moderate Risk data. Users must protect and secure FSU data, devices and portable storage media that are used on the FSU network or to store University data.

No device or storage media containing personally identifiable information (PII) or any data classified as High Risk or Moderate Risk shall be transferred or disposed of unless the appropriate sanitization method has been determined and certified by the University Unit ISM.

Sanitization and Disposal

When authorized by the applicable retention schedule, information, regardless of media type, must be destroyed. Electronic data must be maintained in accordance with the same retention requirements that apply to the same data in non-electronic format.

The CUU ISM is responsible for ensuring appropriate handling of electronic data disposal and media sanitization within the Consolidated University Unit. Primary responsibility rests with the unit or individual that purchased the media. When a third party is performing the sanitization on behalf of the University, a contract reviewed and approved by the University Unit DDDH, CUU DDDH and ITS must be in place assigning data handling responsibilities appropriate for the data classification level of data being managed for destruction. The CUU and University Unit ISMs, or the third party if applicable, are responsible for:

  • Ensuring proper sanitization and disposal of media with the appropriate approved technique, based on the data classification level as defined in the Data Security Standard. Electronic media containing High Risk or Moderate Risk information that is no longer needed should be physically destroyed (e.g., shredded, degaussed) or sanitized (e.g., wiped and re-imaged) by electronic methods to render the information unreadable and unrecoverable as stipulated in NIST Special Publication 800-88, Guidelines for Media Sanitization.
  • Documenting and retaining for a period of three years a record of storage media data removal or destruction for all media that stored High Risk or Moderate Risk data.
  • Providing a certificate of destruction for any storage media provided to them for disposal or destruction.

For more information on media sanitization, see HOW to QUICKLY and PERMANENTLY SANITIZE ANY DRIVE.
For more information on secure disposal, see Records Disposal, Data Cleansing and FSU’s Electronics Recycling Program.

Copiers, Fax Machines, Scanners, and Printers
Multifunction office devices may retain a cached digital copy on the device’s hard drive of some or all the documents printed, scanned, or processed. Once a machine has reached the end of its useful life or lease, its transfer, return, or disposal must be preceded by rendering any cached sensitive information or data unrecoverable.
Other Devices and Equipment
Any electronic device that stores information on internal storage media such as a hard drive, internal memory card, soldered memory chip, or other storage medium must be cleared of such data or reset to factory defaults before its transfer, return, or disposal. This includes but is not limited to firewalls, switches, lab equipment, digital video equipment, and any other device(s) that utilize storage media (e.g. data configuration information, passwords). Any electronic devices that cannot be cleared of sensitive data before transport, must be protected by physical means until destruction is possible, and an inventoried certificate of destruction is provided.
Licensed Software
Units and individuals must appropriately reuse, transfer, return, remove, or delete licensed software in compliance with licensing agreements before transferring or disposing of any storage media to ensure that no software is disposed of or transferred in violation of its license. Specifically, all non­transferable licensed software must be permanently deleted before any electronic device or media is disposed of or transferred within or external to FSU.

Documentation and Retention

Units and individuals are required to document and retain storage media data removal or destruction for all media that stored High Risk or Moderate Risk data according to the Records Schedule and Retention (GS5). The CUU and University Unit ISMs must ensure appropriate compliance with this Standard for all sanitization and disposal for units, including any required certificate of destruction.

Data Subject To Regulation and Contractual Agreements

For storage media containing data that is subject to regulations or contractual agreements requiring either (a) specific sanitization procedures or (b) a level of assurance of sanitization above that described in this Standard, the requirements in this Standard are superseded by the regulatory or contractual requirements, and responsible parties must employ methods that meet their unique, elevated requirements.

Legal Hold

The destruction of records, documents, drafts, and copies will be suspended immediately upon notice that an investigation or litigation is pending, imminent, or reasonably foreseeable. The suspension will be tailored to cover only those records, documents, drafts, and copies relevant to the investigation or threatened/pending litigation, as defined by the Office of General Counsel.

A legal hold remains effective until it is released in writing by the Office of General Counsel. After the University community receives written notice of the lifting of a legal hold, all records relevant to the legal hold shall return to their normal handling procedures and retention schedules.

Incident Reporting

Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the IT Incident Response Standard for more information.

IV. References

Back to Top | Back to Standards