91´ÎÔª

UM Information Security Office

DOCUMENT HISTORY

Date	Document Version	Revision Description	Author
10/1/2023	1.0	New Document	Neff, CISO
5/16/2024	1.1	Minor Revisions	Neff, CISO

Approvals

Approval Date	Approved Version	Approver Role	Approver
5/16/2024	1.1	CISO	Neff, CISO

INTRODUCTION

When files are improperly or inadequately purged from storage media, it is often still possible to reconstruct or retrieve data. To mitigate the risk or unauthorized disclosure of UM Data classified as Confidential or Restricted, storage media must be appropriately sanitized to prevent unauthorized access to or disclosure of sensitive institutional data.

In addition to being a widely accepted security and privacy practice, effective media sanitization is required by some regulations that the university must follow, including HIPAA and GLBA, and government-funded research grants.

DEFINITIONS

Sanitization

Sanitization is defined as the erasure, overwriting, or destruction of storage media to the extent that data cannot be recovered using normal system functions or software data recovery utilities.

UM Facilities

Defined by each campus in the UM System as the campus unit responsible for equipment disposal and surplus.

See UM Data Governance Policy for additional definitions.

STANDARD

Scope

This standard applies to the UM System and all faculty, staff, workforce members, and sponsored affiliates.

All units, faculty, principal investigators, staff, and workforce members that maintain or store data classified as High Risk or Medium Risk on any university-owned device, whether or not it is connected to the university network.

Any storage media used to store High Risk or Medium Risk digital or electronic Institutional Data, even temporarily.

Storage media being transferred within the university or disposed of at the end of its useful life.

Any third-party provider with a contractual relationship with the University that maintains the same data types.

Standard Statement

It is assumed that all university-owned devices have stored data classified as Medium Risk at a minimum. Consequently, all university-owned devices must be sanitized according to this Standard at their end-of-life or prior to disposal as surplus. Specifically, no device or storage media containing personally identifiable information, or any data classified as Hight Risk or Medium Risk, can be transferred or disposed of as surplus unless the appropriate UM-approved sanitization methodology has been completed and certified.

UM Facilities has sole responsibility for the disposition of university-owned property. Units, departments, or individuals with university-owned devices must either sanitize the devices using the procedure and method described below or coordinate with UM IT to do the sanitizing.

For storage media containing data that is subject to regulation or contractual agreement requiring either a specific sanitization procedure or a level of assurance of sanitization above that described in this Standard, the requirements in this Standard are superseded by the regulatory or contractual requirements, and responsible parties shall employ methods that meet their specific requirements.

Unit, Department, or Individual

The university has licensed tools for sanitization of all university-owned storage media and devices that have maintained High Risk or Medium Risk data. Satisfactory execution of this software results in media and devices meeting NIST compliance standards for data destruction, which then allows for the safe recycling or other disposition of the media.

UM-Owned Devices

Units, department, or individual faculty and staff that do their own sanitization of UM-owned storage media are required to create a Certificate of Destruction, maintain a copy for three years, and attach another copy to all storage media transferred as surplus to UM Facilities. In the absence of a Certificate of Destruction, UM Facilities will assume that a device has not been properly sanitized. UM Facilities will coordinate with UM IT to sanitize the device.

Personally Owned Devices

Individual faculty and staff members who access or maintain Confidential or Restricted data on their personal devices must securely sanitize such devices before their disposition. It is strongly recommended to sanitize personal devices before disposal, transfer, or resale to protect personal information and data, even if never used to store UM Institutional Data.

Storage Media and Device Destruction

In instances where secure erasure or sanitization is not possible, storage media should be physically destroyed using a NIST 800-88 certified physical destruction method. UM Facilities maintains a contract with a third-party vendor to physically destroy storage media and receive a Certificate of Sanitization/Physical Destruction. Units are strongly discouraged from attempting to physically destroy storage media themselves.

Copiers, Fax Machines, Scanners, and Printers

Multifunction office devices usually retain a cached digital copy on the device’s storage media of some or all the documents printed, scanned, or processed.

It is important to take appropriate hardening steps to minimize the risk of loss or unauthorized disclosure of Confidential or Restricted Data that may be retained on devices while in use by a unit or department. Once a machine has reached the end of its useful life or lease, its transfer, return, or disposal must be preceded by rendering any cached sensitive information or data unrecoverable.

For devices part of the UM Managed Print Program serviced through Fisher’s Technology, the vendor is responsible for data sanitization prior to reuse or disposal.

Units that manage their own equipment must first determine whether the device retains digital copies on its storage media. If so, units should determine if vendor-provided tools offer adequate sanitization to meet this Standard. Otherwise, units should request that UM Facilities coordinate with UM IT to handle the sanitization of the equipment.

PROCEDURES

Units and individuals must document and retain for three years a record of storage media data removal or destruction for all media that stored Confidential or Restricted Data.

This requirement applies to the destruction carried out at the unit or individual level, by UM IT, by UM Facilities, or by a third-party vendor.

UM IT and UM Facilities will routinely provide a Certificate of Destruction for any storage media provided to them for disposal or destruction.

Some laws, regulations, or contractual agreements may require that Certificates of Sanitization/Physical Destruction be retained for periods of time different from the above three-year retention period; in which case, such requirements supersede the retention period as defined in this Standard.

Obtaining a Certificate of Sanitization/Physical Destruction for storage media that stored only Public Data is optional.

Certificate of Sanitization

All Certificates of Sanitization must include the following items, at a minimum:

• Manufacturer
• Model
• Serial Number
• Media Type (magnetic, flash, hybrid, etc.)
• Media Source (user or computer the media came from)
• Sanitization Description (Clear, Purge, Destroy)
• Method Used (degauss, overwrite, block erase, crypto erase, etc.)
• Tool Used
• Verification Method (full, quick sampling, etc.)
• Post-sanitization destination (if known)

For Both Sanitization and Verification

• Name of Person
• Position/Title of Person
• Date
• Location
• Department Contact Information

Violations

Failure to properly purge data in a manner that renders the data unrecoverable may pose a significant risk to the university since data often can easily be recovered with readily available tools.

Any UM department or unit found to have violated this Standard may be held accountable for the financial penalties, legal fees, and other remediation costs associated with a resulting information security incident and other regulatory non-compliance.

REFERENCES

• UM Data Governance Policy
• Montana University System: Disposal of Computer Storage Devices (Policy 1308)
• U.S. Department of Education Media Sanitization and Disposal Best Practices
• NIST 800-88: Guidelines for Media Sanitization