(A)              Purpose.  At various stages of the IT equipment lifecycle, computing hardware and data storage media will change hands for the purposes of servicing, loaning, changing ownership or disposal.  Any such transfer of equipment introduces the risk of unauthorized access to sensitive data, licensed software and intellectual property that is stored on that equipment.  Software functions commonly included with a computer's operating system to remove programs and data, such as FDISK, FORMAT and DELETE, may make it appear that data has been removed, when it is nevertheless easily recoverable.

(B)              Definitions.

(1)               Information Technology (IT) Equipment.  Any computer equipment or media that is used to store or processes institutional data, including but not limited to: desktop PC's, laptops, USB flash-drives, PDA's, Blackberry devices, smart-phones, compact discs, DVD's and hard drives.

(2)               Sanitize.  To eliminate data from IT equipment or computer media so that data recovery is no longer reasonably possible.  Sanitizing may be performed by physical destruction or through use of specialized software.  A list of software options is included as an attachment to this procedure.

(3)               Encrypt.  To prevent access to data by making it unreadable to all but an authorized user.  Encryption software uses a "key" to scramble the data into a secure format.  The key, which can be used later to unscramble the data, is kept secret by the authorized user(s) of the data.  Several data encryption options are available through Information Services.

(C)             Procedure.  When servicing, disposing, loaning or otherwise relinquishing custody of IT equipment, the department shall exercise caution, as outlined in this procedure, to prevent unauthorized access of the sensitive data, licensed software and intellectual property stored on that equipment.

(1)               Surplus equipment redistribution.  When IT equipment is reassigned to a new department, the equipment must be sanitized.

(2)               Public sale bid.  When ownership of IT equipment is relinquished by the university through public sale, the equipment must be sanitized.

(3)               Disposal of surplus equipment.  When IT equipment is discarded, it must be disposed of through a contracted disposal service that performs data sanitization and is approved by the Vice President of Information Services.

(4)               Service and repair.

(a)               On-site service and repair.  If equipment is serviced on-site under the supervision of the department or Information Services, sanitization is not required unless a storage device will be removed from the equipment for replacement.

(b)               Off-site service and repair.  If equipment must be shipped, or the department must otherwise relinquish physical control of the IT equipment, it must either be sanitized or encrypted.

(5)               Intra-departmental loan or redistribution.  When equipment is reassigned or loaned to another user within the same department, care must be exercised to ensure that the new user is authorized to access all programs and data installed or stored on the equipment by previous user(s).  If the equipment reassignment or loan occurs between users with dissimilar job functions or data access requirements, the equipment must be sanitized.

(6)               Loose media.  Hard drives, diskettes, CD's, tapes, USB flash-drives and other loose media must be treated with the same care as other IT equipment such as PC's, notebooks, and servers.  As an alternative to sanitization of loose media, a department may contact Data Center Operations to have such devices picked up and disposed of in bulk.

(7)               Exceptions.

(a)               Non-functioning equipment.  Occasionally, it will be impossible to properly sanitize equipment due to a non-functioning device.  In this case, the data storage device may be removed from the equipment and disposed through Data Center Operations, and the remaining hardware disposed of normally.

(b)               Other conflicts.  In the event of a conflict that precludes exercise of these procedures, such as in the case of warranty requirements, the department should contact the Office of Security and Compliance Services for guidance.

(D)             References.

(1)               This procedure is meant to supplement the University Procurement Office's asset disposal procedures, which can be found on the Procurement Office website at http://www.kent.edu/procurement.

(2)               This procedure shall not supersede requirements for proper disposal and asset control as provided for in 3342-5-12.3, "Administrative policy regarding purchasing, sales and disposal of property and inventory control".

Last Revision: 10/4/2007

Attachment 1

List of programs to sanitize data stored on IT equipment

Information Services can provide only general guidance on use of the following software packages.  Specific questions and support should be obtained directly from the vendor.

Free programs for Windows:

• Active@ Kill Disk
• Darik's Boot and Nuke ("DBAN")
• Eraser
• Sure Delete

Commercially available programs for Windows:

• Acronis DriveCleanser
• Disk Wipe
• M-Sweep Pro Data Eliminator
• Paragon Disk Wiper

For Linux systems using an Intel x86 processor, refer to the Windows software listing.

For Macintosh systems running Mac OS X, use the "7 Pass Erase" security functionality within the included Disk Utility program.  (http://docs.info.apple.com/article.html?artnum=303462)

For Solaris systems, follow the guidance provided at Sun's web site.  (http://wwws.sun.com/software/solaris/trustedsolaris/ts_tech_faq/faqs/purge.html)