|| OFFICIAL |
This policy applies to all persons while conducting/performing work, teaching, research or study activity or otherwise using university resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.
Inventory, Tracking and Discarding of Computing Devices
July 23, 2007
REASON FOR POLICY
Sensitive data must be protected from unauthorized access or disclosure throughout its entire lifecycle from origination to destruction. Electronic media and computing devices, regardless of their value, that contain sensitive information must be properly inventoried, tracked and secured at all times. Sensitive data must be properly eradicated upon destruction or redeployment.
Important Note: See related Inventory and Surplus Policies and Procedures for details regarding the purchase, identification, inventory and surplus of equipment. Policies and standards apply to all computing devices or associated electronic media, regardless of expendable classification.
Computing Device or Electronic Media Redeployment
Any computing device or electronic media moved from one school, department, unit or other university entity to another; transferred between personnel with different access and need to know privileges; or no longer used for specific data must have all sensitive information eradicated (see Technical Standards section for eradication guidelines).
Computing Device or Electronic Media Disposal or Surplusing
Any computing device or electronic media removed from service, discarded, donated, or sent to surplus must have all sensitive information eradicated (see Technical Standards section for eradication guidelines).
Electronic Protected Health Information (ePHI) Note:
A record or log of disposition must be maintained by the responsible university entity for any computing device or electronic media utilized for processing or storing ePHI.
Proper tools are required to eradicate sensitive information from electronic media. Links to tools for total eradication of data on the device as well as specific eradication of selected data are maintained on the Information Security Office web site.
Eradication of Data
· Total eradication of data on the computing devices or electronic media is the preferred way to provide a reasonable assurance that sensitive information has been eliminated if the device or media is not to be destroyed (see physical media destruction below).
A total eradication tool must be used if the device or media is being removed from service within the university. Selective eradication of data may be used for computing devices or electronic media being redeployed (not disposed of or sent to surplus) provided ePHI or other regulated data was not housed on the computing devices or electronic media.
Electronic Protected Health Information (ePHI) Note: Computing devices or electronic media, which contain or contained ePHI must have the media sanitized using a total eradication method.
· To maximize assurance of data eradication and to minimize the chance of accidental inappropriate data deletion, the Tier 1 or other qualified support staff who understand how to use the tools outlined above must perform this procedure.
· Certification of Data Eradication - Computing Devices Surplus Certification labels are provided by the Purchasing Department to affix to the device and signify that the device or electronic media has had its data properly eradicated. It is extremely important that these procedures are followed. See Inventory 3.00: Reporting, Transfer or Movement of Property for more information.
Physical Media Destruction
· Physical destruction of electronic media is the preferred way to provide a high level of assurance that sensitive information has been eliminated if the electronic media is being disposed and not redeployed. Physical destruction is considered complete only if the media has been disposed of with a shredder or other equipment designed for destroying electronic media. "Casual destruction" (bending, cutting with scissors, breaking and similar activities) is not an adequate way to destroy electronic media.
Note: If proper physical destruction tools are not available for media being disposed, properly performed total eradication of data, as described above, is acceptable.
ISO-002 Business Continuity and Disaster Recovery
Sensitive information: Information of a confidential or proprietary nature and other information that would not be routinely published for unrestricted public access or where disclosure is prohibited by laws, regulations, contractual agreements or University policy. This includes (but is not limited to) full name or first initial and last name and employee ID (in combination), identifiable medical and health records, grades and other enrollment information, credit card, bank account and other personal financial information, social security numbers, confidential or proprietary research data, dates of birth (when combined with name, address and/or phone numbers), user IDs when combined with a password, etc. See Information Management and Classification Standard.
Computing Devices: Includes but is not limited to workstations, desktop computers, notebook computers, tablet computers, network enabled printers, scanners and multi-function devices, mobile devices, email/messaging devices, cell phones, removable hard drives, flash or "thumb" drives, etc. all hereafter referred to as "computing devices".
Electronic Media: Includes all electronic data storage devices funded as under Computing Devices above or other electronic data storage devices used to store UofL related data. Media includes but is not limited to removable and non-removable storage such as hard drives, CDs, DVDs, magnetic tape, removable disks (floppy, zip, cartridge systems, etc.) and flash memory devices.
ePHI: Electronic Protected Health Information - Health information maintained or transmitted in an electronic format that:
1. identifies or could be used to identify an individual;
2. is created or received by a healthcare provider, health plan, employer or healthcare clearinghouse; and
3. relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of healthcare to an individual.
Policy Authority/Enforcement: The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.
Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.
This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.
Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council
1.0 / July 23, 2007 / Original Publication
1.1 / January 29, 2013 / Content Update
1.2 / September 26, 2013 / Content Review and URL Update
2.0 / March 8, 2016 / Content review/update and update to new template
2.1 / December 6, 2016 / Update Purchasing reference and links to Surplus
2.1 / August 13, 2018 / Grammar and punctuation updates
Reviewed Date(s): March 8, 2016, June 14, 2017, August 13, 2018
Vice President for Risk, Audit, and Compliance
RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION
The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.