I. Purpose
This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It defines the requirements for proper disposal and sanitization of electronic data and media. If not properly purged from storage media, data could be reconstructed or retrieved. Storage media must be appropriately sanitized to prevent unauthorized access to, or disclosure of, institutional information.
Compliance with this Standard is mandatory and is enforced in the same manner as the policies it supports. Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with this Standard or obtain an exception in accordance with the 4-OP-H-25.20 Request for Exception to IT Security Policy.
II. Definitions
Consolidated University Unit – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.
Information Security Incident - a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.
Media Sanitization - the erasure, overwriting, or destruction of storage media to the extent that data cannot be recovered using normal system functions or software data recovery utilities.
Full IT Glossary
III. Standard
FSU has adopted the NIST Cybersecurity Framework (CSF) 2.0 as the foundation for a risk-based approach to cybersecurity management. CSF uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and best practices to establish baseline expectations for cybersecurity for all University Units.
University Units are responsible for using this framework to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.
Functions supporting this Standard include, but are not limited to:
NIST Cybersecurity Framework 2.0
| Function | Category |
| Identify (ID) | Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy. |
| Protect (PR) |
Data Security (PR.DS): Data are managed consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information |
Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.
Roles and Responsibilities
Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the university. The CISO reports to the FSU Chief Information Officer and the Provost and also serves as the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for establishing and enforcing the application of appropriate operational security controls necessary to protect the network.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
Data Custodian
The Dean, Director, Department Head, or other manager who is ultimately responsible for the integrity, accurate reporting, and use of university data resources, based on the 4-OP-H-25.01 Data Security Standard.
Data Manager
The University Unit employee(s) delegated operational oversight responsibility for data resources by the Data Custodian.
For more information, see IT Roles and Responsibilities.
Management of Media
In order to mitigate significant risk of unauthorized disclosure of FSU information, computer equipment and storage media must be properly sanitized before disposal or reassignment to prevent unauthorized access to, or disclosure of, Institutional information.
CUU and University Unit ISMs are responsible for ensuring proper sanitization and disposal of media within the Units. Data Custodians are responsible for controlling and protecting the full life cycle of electronic media, based on data risk as defined by the 4-OP-H-25.01 Data Security Standard. This includes maintaining an inventory of data and media, as well as processes for secure storage; controlled check out and return; and sanitization and disposal for all media containing High Risk or Moderate Risk data. Users must protect and secure FSU data, devices and portable storage media that are used on the FSU network or to store University data.
No device or storage media containing personally identifiable information (PII) or any data classified as High Risk or Moderate Risk shall be transferred or disposed of unless the appropriate sanitization method has been determined and certified by the University Unit ISM.
Sanitization and Disposal
When authorized by the applicable retention schedule, information, regardless of media type, must be destroyed. Electronic data must be maintained in accordance with the same retention requirements that apply to the same data in non-electronic format.
The University Unit ISM is responsible for ensuring appropriate handling of electronic data disposal and media sanitization within the Consolidated University Unit. Primary responsibility rests with the unit or individual that purchased the media. When a third party is performing the sanitization on behalf of the University, a contract reviewed and approved by the University Unit/CUU DDDH and ITS must be in place assigning data handling responsibilities appropriate for the data classification level of data being managed for destruction. The CUU and University Unit ISMs, or the third party if applicable, are responsible for:
- Ensuring proper sanitization and disposal of media with the appropriate approved technique, based on the data classification level as defined in the 4-OP-H-25.01 Data Security Standard. Electronic media containing High Risk or Moderate Risk information that is no longer needed should be physically destroyed (e.g., shredded, degaussed) or sanitized (e.g., wiped and re-imaged) by electronic methods to render the information unreadable and unrecoverable as stipulated in NIST Special Publication 800-88, Guidelines for Media Sanitization.
- Documenting and retaining for a period of three years a record of storage media data removal or destruction for all media that stored High Risk or Moderate Risk data.
- Providing a certificate of destruction for any storage media provided to them for disposal or destruction.
For more information on media sanitization, see HOW to QUICKLY and PERMANENTLY SANITIZE ANY DRIVE.
For more information on secure disposal, see Records Disposal, Data Cleansing and FSU’s Electronics Recycling Program.
Copiers, Fax Machines, Scanners, and Printers
Multifunction office devices may retain a cached digital copy on the device’s hard drive of some or all the documents printed, scanned, or processed. Once a machine has reached the end of its useful life or lease, its transfer, return, or disposal must be preceded by rendering any cached sensitive information or data unrecoverable.
Other Devices and Equipment
Any electronic device that stores information on internal storage media such as a hard drive, internal memory card, soldered memory chip, or other storage medium must be cleared of such data or reset to factory defaults before its transfer, return, or disposal. This includes but is not limited to firewalls, switches, lab equipment, digital video equipment, and any other device(s) that utilize storage media (e.g. data configuration information, passwords). Any electronic devices that cannot be cleared of sensitive data before transport, must be protected by physical means until destruction is possible, and an inventoried certificate of destruction is provided.
Licensed Software
Units and individuals must appropriately reuse, transfer, return, remove, or delete licensed software in compliance with licensing agreements before transferring or disposing of any storage media to ensure that no software is disposed of or transferred in violation of its license. Specifically, all nontransferable licensed software must be permanently deleted before any electronic device or media is disposed of or transferred within or external to FSU.
Documentation and Retention
Units and individuals are required to document and retain storage media data removal or destruction for all media that stored High Risk or Moderate Risk data according to the Records Schedule and Retention (GS5). The CUU and University Unit ISMs must ensure appropriate compliance with this Standard for all sanitization and disposal for units, including any required certificate of destruction.
Data Subject To Regulation and Contractual Agreements
For storage media containing data that is subject to regulations or contractual agreements requiring either (a) specific sanitization procedures or (b) a level of assurance of sanitization above that described in this Standard, the requirements in this Standard are superseded by the regulatory or contractual requirements, and responsible parties must employ methods that meet their unique, elevated requirements.
Legal Hold
The destruction of records, documents, drafts, and copies will be suspended immediately upon notice that an investigation or litigation is pending, imminent, or reasonably foreseeable. The suspension will be tailored to cover only those records, documents, drafts, and copies relevant to the investigation or threatened/pending litigation, as defined by the Office of General Counsel.
A legal hold remains effective until it is released in writing by the Office of General Counsel. After the University community receives written notice of the lifting of a legal hold, all records relevant to the legal hold shall return to their normal handling procedures and retention schedules.
Incident Reporting
Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at security@fsu.edu. The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the 4-OP-H-25.11 IT Incident Response Standard for more information.
