I. Disposal Guidelines for Paper-Based Media
- The proper media disposal technique for any paper based documentation must match the highest classification of data that is contained in that document. Therefore, a document containing both University classified sensitive and restricted data must be disposed of in the manner required for the disposal of restricted data.
- Existing Departmental Managers are responsible for overseeing paper-based document disposal in his or her area.
- Destruction methods for paper-based documentation includes use of the Purdue University Confidential Material Recycling Program, and other methods such as shredding (cross-cut shredding is best), disintegration, incineration, and pulverization.
II. Disposal Guidelines for Electronic-Based Media
- The proper media disposal technique for electronic storage devices depends whether or not the electronic storage media is being repurposed for University use.
- Electronic Storage Devices Repurposed for University Use: If the physical media is going to be repurposed for University use, then the electronic storage device must be wiped with a multiple pass/DoD secure overwrite prior to being repurposed to another unit or area.
- Electronic Storage Devices NOT Repurposed for University Use: If the physical media is not going to be repurposed for University use, then the electronic storage device must be physically destroyed.
- Existing Departmental Managers are responsible for overseeing electronic storage device disposal in his or her area. This responsibility includes ensuring that appropriate multiple pass/DoD secure overwrites are properly completed and documented in the event that storage devices are repurposed for University use.
- Multiple pass/DoD overwrite means to overwrite all addressable locations with a character, its complement, then a random character, and verify.
- Physical destruction methods for electronic storage devices include use of the Purdue Materials Management and Distribution Center (MMDC) program. Contact the Grounds Department Refuse & Recyling department regarding these procedures. Other methods of physical destruction may be acceptable so long as the electronic storage device is destroyed and the data contained on that device may not be recovered by any means.
III. Related Documents
- Purdue University Data Handling Requirements, available at: http://www.tattoovisit.com/securepurdue/data-handling/index.php
- Data Classification and Governance Policy (VII.B.6), available at: http://www.tattoovisit.com/policies/information-technology/viib6.html
- Purdue University Recycling for the Future media shredding program, available at http://www.tattoovisit.com/surplus (click on the Recycling for the Future link on the bottom of the Surplus page)
- Student Services Technology Media Disposal Service Offering: http://www.tattoovisit.com/SSTA/workstationtechnology/services/mediadisposal.php
- The federal government provides the U.S. Department of Defense 5220.22M Cleaning and Sanitizing standard, available at: https://it.ouhsc.edu/policies/documents/infosecurity/DoD_5220.pdf
- NIST Special Publication 800-88, Guidelines for Media Sanitization. Issued September 2006. Available at: https://www.lifewire.com/dod-5220-22-m-2625856
- ISO/IEC 17799:2005(E), Code of Practice for Information Security Management, Control 10.7.2 (Disposal of Media).
Issued 9/25/2006, revised 10/12/2011 (to update policy references), from Purdue University Security Officer's Group and IT Security & Policy. Questions about these guidelines can be addressed to email@example.com.
Revised November 21, 2011 to update URLs.
Revised March 10, 2017 to update URLs, electronic disposal.
Revised April 23, 2018 to update the policy name and number.