General
This section implements CSU Information Security Policy 8070.00.
Information Security requirements for acquisition of information systems
Consult Section 8, Configuration Management and Change Control, for information security-related information systems acquisition requirements.
Consult Section 6, Third Party Management, information security requirements imposed upon third party service providers.
Disposal of information systems
All units in ITS will take adequate measures to properly dispose of information systems at the end of their lifecycle. Except for systems that must be retained as a result of public records law, executive orders, or litigation holds, end of life information systems will be wiped using methods that conform to DOD Standard 5220.22-M.
Each ITS organizational unit will develop procedures for the destruction and sanitization of end of life information systems. The Information Security Officer or designee will review these procedures annually.