BP.03.013 - Business Practice for Secure Computing Equipment Disposal

Printable Version in PDF Format (Get Adobe Acrobat)

Table of Contents

• History
• Purpose
• Background
• Business Practice
  • Accountability
  • Applicability
  • Definition(s)
  • Text
• Exhibit(s)
  • Assessment History

History [top]

• Business Practice Number: BP.03.013
• Version: 1
• Drafted By: Neal Fisch
• Approved By: Michael Berman
• Approval Date: 03/09/2017
• Latest Revision Date: 03/09/2017

Purpose [top]

Describes the processes used for the secure disposal of computing equipment at CI.

Background [top]

Computing equipment that has been “red-tagged” by ITS must be securely evaluated and disposed of by ITS personnel before releasing for general disposal. This business practice describes the process by which secure equipment disposal occurs.

Business Practice [top]

Accountability [top]

Vice President for Information Technology Services

Applicability [top]

All CI recipients of computer hardware.

Definition(s) [top]

1. End-of-Life – the product supplied to the faculty/staff is in the end of its useful life and the vendor (Dell/Apple) stops marketing, selling, or sustaining it.
2. Red Tag – The tag that is affixed to computer hardware when that hardware is no longer supported by T&C personnel due to one or more of the following reasons:
   1. The computer has reached the end of its lifecycle and requires replacement.
   2. The computer does not run a CI standard computer operating system (OS).
   3. The computer is not a CI standard make/model.
   4. The computer was purchased without CI funds.

Text [top]

General

Why is secure equipment disposal necessary?

All computing equipment that contain storage devices (hard drives, solid state flash drives, etc.) are capable of storing information. When a computing device is decommissioned and tagged for removal any data contained on that device needs to be erased to minimize any data leakage risk to the University. This business practice outlines the process(es) used to remove any data from these devices and to minimize any risks to the University related to data leakage from decommissioned computing equipment.

The Process.

All red tag computers, when ready to be decommissioned, will be processed by ITS User Services. The process detail consists of the following steps:

1. An email request is made to the IT Solution Center requesting decommission of computing equipment.
2. Once the work order request is received by User Services, the assigned technician will pick up the equipment for decommission and transport the equipment to the secure equipment processing location.
3. The technician logs the piece of equipment onto the Hard Drive Decommissioned Log for audit purposes using the equipment’s Channel Islands asset tag number.
4. The technician then removes the hard drive(s) from the equipment and places it into the secured storage box until it is erased.
5. When erasure is to occur, all drives currently logged and identified to be erased are transferred to the ITS Solution Center by the assigned technician and the DOD (Department of Defense level) 3 pass erasure process via a StarTech Eraser Dock (3-Pass Full Disk Overwrite erase procedures that meet the requirements of DoD standards) is initiated.
6. Solution Center staff will write “DOD” along with the date the drive was erased on hard drive with permanent marker. If the erasure process fails, they get “Hammer” labeled on them to be physically destroyed afterwards.
7. Drives are returned to the User Services technician afterwards for final decommission logging when process is fully completed.

Exhibit(s) [top]

These documents are incorporated by reference. Please consult the ITS Policy website for the latest versions:

• Property Survey Request Form (PDF, 79.8KB)
• Hard Drive Decommission Log (MS Excel, 10.3KB)

Assessment History [top]