Return to: U of M Home |
|
myU | One Stop | Directories | Search U of M |
|
|
|
|
|
|
||||||
|
|
|
|
STANDARDS & GUIDELINES
Responsible Office: Office of Information Technology
Responsible Officer: Chief Information Officer
STANDARD
A standard is a level of quality that requires conformity.
The Chief Information Officer is designated by the "University Acceptable Use of Information Technology Resources Policy" as the institutional officer responsible to identify standards for access and acceptable use of information technology resources. This standard defines the use of secure data deletion techniques necessary for the protection of University data and licensed software.
Even though computer users may think that data or programs have been deleted by hitting the "delete key", there are often significant remnants remaining on the hard disk of the computer. Non-public data and licensed software remaining on computers, other electronic devices, and storage media at the time of transfer or disposal represents a substantial risk. To protect against this risk, the Chief Information Officer has approved this standard.
The department or individual directly responsible for non-public data on a University computer or other electronic device is required to ensure that any non-public information on that device is securely removed before sale or transfer out of their direct control. Examples of such sales and transfers are: transfer to another department; public sale; donation; or scrapping. Such computers must be electronically wiped (e.g. using a secure data deletion program for computers that writes random data in multiple passes) or the physical media must be destroyed. Tapes, CDs, cartridges and other storage and backup media containing non-public information must also be securely deleted or destroyed before disposal or transfer out of direct control.
Since it is possible that even systems not thought of as containing important information can have remnants from previous activity, it is recommended that all systems and media moving from one department or type of usage to another be securely wiped. For some types of electronic equipment this may be as simple as pushing the button to return all settings to factory settings. For others, such as computers that are not operational, physical removal and destroying hard disks or other media may be necessary.
The risk mitigation alternative selected should be in proportion to the risk. For most desktop systems with disks that are operational, use of secure data deletion software for three passes would likely be sufficient. With increased risk, increased numbers of passes with the software and the use of physical destruction should be considered. The use of secure deletion tools is reviewed as part of the normal University audit procedures. Collegiate and departmental technology support staff as well as OIT staff can assist in identifying alternatives (contact OIT by dialing 1-HELP, 612-301-4357).
The Office of Information Technology (OIT) web site identifies several secure file deletion programs, a few of which are free downloads (see the first listing under Resources below). If a system is non-operational, the disk or other media may still contain non-public data and must be removed and either securely deleted or physically destroyed. Special care should be taken to securely delete or destroy backup and other removable media after use.
In addition to the departmental staff who are responsible for non-public data on their electronic systems, staff involved in any transfers of equipment both within and particularly outside the University through sales, recycling, donations, etc. must be certain that University data and licensed software has been removed. A statement should be obtained from the originating department that non-public data has been removed before making external transfers outside the University.
Upon request, campus technology support groups that perform secure deletion should provide the originating department or user with a form (with identifying information like serial number and the date) and a statement that the campus support group agrees to perform the secure deletion in conformance to the Secure Deletion Standard and assumes responsibility for doing so.
|
||||
|
