Digital storage devices which contain licensed software programs and/or institutional data must be reliably erased and/or destroyed before the device is transferred out of University control, or erased before being transferred from one University department or individual to another. Australian Catholic University is committed to compliance with federal statutes associated with the protection of confidential information as well as ensuring compliance with software licensing agreements.
All employees of Australian Catholic University have a responsibility to ensure the confidentiality of University information residing on the computer systems and other digital storage devices as well as any non-reusable media they use, whether it be University or personally owned. Electronic media are devices containing bits and bytes such as hard drives, random access memory (RAM), read-only memory (ROM), disks, flash memory, memory devices, phones, mobile computing devices, networking devices, and backup tapes are covered under the provisions of this procedure. In the future, organizations will be using media types not specifically addressed by this guide. The processes described in this document should guide media sanitization decision making regardless of the type of media in use. To effectively use this guide for all media types, organizations and individuals should focuson the information that could possibly have been recorded on the media, rather than on the media itself.
3. Procedure statements
All electronic storage media should be sanitised when it is no longer necessary for business use, provided that the sanitisation does not conflict with University data retention policies.
All electronic storage media should be sanitised prior to sale, donation or transfer of ownership. A transfer of ownership may include transitioning media to someone in your department with a different role, relinquishing media to another department, or replacing media as part of a lease agreement. A service request must be raised and the electronic media to be provided to the IT department to perform the sanitisation process appropriate to the electronic media type.
All University employees are responsible for the sanitisation of non-reusable electronic media before disposal. Similar to shredding paper reports, CDs and other non-rewritable media should be destroyed before disposal.
Deans, Directors and Department heads are responsible for ensuring the sanitisation of all ACU owned electronic devices and computer systems in their business units prior to disposal. This responsibility may be delegated within the business unit as deemed appropriate. In order to action this, a service request must be raised and the machine(s) are then provided to the IT department. The IT department will perform the sanitisation process.
Disposal without sanitisation should be considered only if information disclosure would have no impact on organizational mission, would not result in damage to organizational assets, and would not result in financial loss or harm to any individuals.
Where suitable, NIST Special Publication 800-88 Rev 1 Guidelines for Media Sanitization will be referred as standard to be adhered to.
Any disposal of computer equipment and media storage devices must comply with the Asset Management Policy.
Any person found to be in violation of this procedure will be subject to appropriate disciplinary actions as defined by current University policy and/or collective bargaining agreements.
5. Related Links
NIST Special Publication 800-88 Rev 1 Guidelines for Media Sanitization http://dx.doi.org/10.6028/NIST.SP.800-88r1
CD A Compact Disc (CD) is a class of media from which data are read by optical means.
Data Pieces of information from which “understandable information” is derived.
Disposal Disposal is a release outcome following the decision that media does not contain sensitive data. This occurs either because the media never contained sensitive data or because Sanitization techniques were applied and the media no longer contains sensitive data.
DVD A Digital Video Disc (DVD) has the same shape and size as a CD, but with a higher density that gives the option for data to be double-sided and/or double-layered.
Electronic Media Electronic media are devices containing bits and bytes such as hard drives, random access memory (RAM), read-only memory (ROM), disks, flash memory, memory devices, phones, mobile computing devices, networking devices, and backup tapes.
Hard Disk A rigid magnetic disk fixed permanently within a drive unit and used for storing data. It could also be a removable cartridge containing one or more magnetic disks.
Media Sanitisation A general term referring to the actions taken to render data written on media unrecoverable by both ordinary and extraordinary means.
SSD A Solid State Drive (SSD) is a storage device that uses solid state memory to store persistent data.