Applies to: University employees (e.g., faculty, staff, student employees) and other covered individuals (e.g., affiliates, vendors, independent contractors, etc.) in their
handling of University data, information, and records in electronic form during the course of conducting University business (administrative, financial, teaching, research, or service). Policy Statement: When a file is deleted, the operating system does not completely remove the file from the disk; rather, the file deletion removes only the reference to the file from the file system table. The file remains on the disk
until a subsequent file is created over the original file. However, even after the file is overwritten, it is possible to recover data from the original file by studying the magnetic fields on the disk platter surface if the drive was manufactured before 2001. This is referred to as a “laboratory attack”. Other drives may contain data that can be retrieved with specialized software. This is referred to as “deleted file retrieval”. The only way to prevent these kinds of inadvertent file sharing
or file access is to appropriately clean (e.g., sanitize) the hard drive or other media by performing a data wipe or over-write, or to physically destroy the hard drive or other media before it reaches its next owner or destination. The required procedures for performing a data wipe or over-write, or for physically destroying the hard drive or other media, are set forth below. Any official University records must be appropriately retained / disposed of based on the University’s records
retention policy prior to cleaning or destruction of the system, device, or media. The sanitization method for the media depends on the information stored on the media, the age of the media, and on its next destination. The following table should help decide how to handle a particular computer or device. NIST Special Publication
800-88, “Guidelines for Media Sanitization”, defines the terms and methods for sanitizing hard drives and other media. Clearing: Overwriting the media Purging: Magnetic erasure of the media Destruction: Physical destruction of the media Examples of Sensitive and Confidential Information include, but are not limited to, the following data types:
If you need assistance removing data, or if you are not sure whether the data stored on a device is Sensitive or Confidential, please contact the IT Security Office at 785-864-9003 or .
The most current research on data retrieval indicates a single pass of random data or zeros (Clearing) is all that is required to sanitize a functioning hard drive manufactured after 2001. Clearing the drive prevents deleted file retrieval. Laboratory attacks are not possible on modern hard drives. ToolsTo properly clean your electronic media, please use the utility called "Darik's Boot and Nuke" (DBAN). This tool will create an easy-to-use cleaning floppy or CD that can be used in most computers. It will allow you to boot from the media and begin the cleaning process without needing to install any other software on the computer. DBAN allows you to choose a number of options. Physical Destruction of Hard Drives or other MediaIf the computer system, electronic device, or electronic media will not be reused, physical destruction is an acceptable method of disposing of the University data. Individuals desiring to have a computer system, electronic device, or electronic media destroyed may contact the IT Customer Service Center (CSC) at 864-8080 to arrange for drop-off or pick-up of their eWaste. eWaste Delivered to the Computing Services Facility (CSF)
eWaste Pickup Procedure
Consequences: Faculty, staff, and/or student employees who violate this University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment. Students who violate this University policy may be subject to proceedings for non-academic misconduct based on their student status. Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation. Contact: Office of the Chief Information Officer Approved by: Provost and Executive Vice Chancellor Approved on: Thursday, August 14, 2008 Effective on: Thursday, August 14, 2008 Definitions: These definitions apply to these terms as they are used in this document. Sanitization (of computer hard drives): Removing data on a system through one or more various methods that may include overwriting or erasing data utilizing the methods described in NIST Special Publication 800-88. Confidential Information: Subset of Private Information that includes information protected by state and/or federal law and information that the University is contractually obligated to protect. The mishandling of Confidential Information may impact the University through financial and legal sanctions, loss of public confidence, and damage to the University’s reputation. Examples of Confidential Information include Social Security numbers, bank account information, BPC account numbers, healthcare records, educational records, and risk assessments that highlight potential weaknesses in the University’s utility/service infrastructure. Degaussing: Process by which storage media is subjected to a powerful magnetic field to remove the data on the media. eWaste: Discarded electronics. Reformat: (Computing) format again after a previous use, especially to clean a disk drive (or partition) so it contains no data and only formatting information. Reimaging: Reimaging is the process of removing all software on a computer and reinstalling everything. A “reimage” is necessary if your operating system becomes damaged or corrupted. You may also need to reimage if your system is plagued with spyware problems. The word “reinstall” is often used in place of “reimage”. Sensitive Information: Subset of Private Information that includes non-public information (other than Confidential Information) that may cause harm to the University or to individuals if inappropriately used or disclosed. This category includes, for example, research data with commercial or societal value, and individual works of intellectual property. Keywords: Secure data disposal, electronic shredding, erasing media, data removal, discarding computers, data wipe, eWaste, media sanitization Change History: 01/26/2022: Updated contact section. Information Access & Technology Categories: Which of the following can be done to obfuscate sensitive data?Three of the most common techniques used to obfuscate data are encryption, tokenization, and data masking. Encryption, tokenization, and data masking work in different ways. Encryption and tokenization are reversible in that the original values can be derived from the obfuscated data.
Which of the following is an agreement that ensures an employee does not misuse enterprise data?Which of the following is an agreement that ensures an employee does not misuse enterprise data? Correct. New hires are often required to sign an employee nondisclosure agreement (NDA) to make it clear that they may not disclose trade secrets and confidential information without permission.
What is the power supply device that can ensure a correct and constant?A voltage regulator is a component of the power supply unit that ensures a steady constant voltage supply through all operational conditions. It regulates voltage during power fluctuations and variations in loads.
Which of the following refers to capturing and reading data packets as they move over the network?Packet Capture refers to the action of capturing Internet Protocol (IP) packets for review or analysis.
|