editing disabled

DTS Policy and Procedure 5000-1106
Media Protection - Non-PC Equipment Policy

Status: Proposed
Effective Date: XX, 2010 through XX, 2011
Revised Date: N/A
Approved By: J. Stephen Fletcher, CIO
Authority: UCA §63F-1-206; Governor's Executive Order: Directing the Chief Information Officer to Develop and Implement Policy Promoting Security of State Information and Information Systems

1106.1 Purpose
The purpose of this policy is to establish an enterprise policy to protect sensitive data from accidental disclosure while it is stored on electronic storage media utilized by non-PC equipment and when the equipment is decommissioned.
1106.1.1 Background
This policy is intended to reduce the potential for unauthorized recovery of data from electronic storage media contained within decommissioned equipment.
1106.1.2 Scope
This policy and procedure applies to all non-PC equipment supported, maintained, or administered by the DTS and the employees with responsibilities related to these devices. This policy also addresses the disposition of outdated or surplused equipment and the removal of all data and software from resident storage electronic media storage devices.
1106.1.3 Exceptions
Agencies excluded under the provisions of §63F-1-102 (7) et seq., are not included under the provisions of this policy.
1106.2 Definitions
The process of removing sensitive and/or confidential programs or data files on electronic storage media devices (e.g., hard drives, flash drives, flash memory, etc.) in a manner that gives assurance that the information cannot be recovered by forensic efforts.
Electronic Storage Media
For the purpose of this policy electronic storage media refers to hard disk drives, flash memory chips, flash memory drives, USB thumb drives, etc.
Non-PC Equipment
These are electronic devices such as, copiers, scanners, facsimile machines, printers, etc. that utilize electronic storage media to store data as part of the device’s operation.
The process of erasing, or “wiping,” the contents of an electronic file or disk space. Overwriting of data means replacing previously stored data on a storage media device with a predetermined pattern of meaningless information. This effectively renders the data unrecoverable. It is impossible to restore data on storage media that has been properly “wiped.”
Physical Destruction
The physical destruction of storage media device is a process whereby the physical storage media is rendered useless and inaccessible. The end result is that physical storage media are destroyed (crushed or shredded) to the extent that useable data cannot be recovered by any known forensic techniques.
Proof of Destruction
A certified statement and/or a detailed log completed and signed by the person who supervised the destruction of the storage media device.
For the purpose of this policy, transfer means the reassignment or change of ownership of a storage media device from one agency or agency business division to another.
1106.3 Policy
1106.3.1 All Non-PC equipment that are supported, maintained, owned, or administered by DTS will contain a pre-installed encryption kit and/or electronic storage media overwriting kit at the time it is deployed within the State environment.
1106.3.2 All Non-PC equipment will have it’s electronic storage media removed and released to state staff prior to the equipment's transfer or removal from State ownership.
1106.3.2.1 Any evidence of state ownership or use of the equipment must also be removed to ensure that no data of any type is left on the equipment.
1106.3.3 All electronic storage media addressed in this policy must follow a uniform and consistent method for the decommissioning of electronic storage media. The process will be performed for all departments and divisions whose information technology equipment is serviced by DTS.
1106.4 Decommissioning and Data Destruction
There is one acceptable method to be used for data decommissioning—Physical Destruction.
1106.4.1 Processes used for the destruction and disposition of an electronic storage media device must be endorsed by the department’s Chief Operations Officer (COO) and CISO.
1106.4.1.1 DTS offices that physically destroy an electronic storage media device must follow a COO/CISO endorsed process.
1106.4.1.2 DTS offices that physically destroy a storage media device must retain a proof of destruction. At a minimum, the proof of destruction must provide the serial number of the storage media device, the date of media destruction, the method(s) used to destroy the media (e.g., crushing, pulverizing, shredding), the vendor's name if a vendor was used to destroy the storage media, and the name, title and signature of the person who supervised the destruction of the storage media device.
1106.4.1.3 When requested by the Enterprise Information Security Office (EISO) the proof of destruction for a storage media device must be provided to the EISO within 5 business days.
1106.4.2 The EISO must provide training to assigned DTS staff and provide tracking documentation for use in the destruction and disposition of electronic storage media devices.
1106.5 Policy Compliance
Violation of this policy may be the basis for discipline including but not limited to termination. Individuals found to have violated this policy may also be subject to legal penalties as may be prescribed by state and/or federal statute, rule, and/or regulation.

Document History

Originator: Michael Casey, CISO

Next Review: XX, 2011

Reviewed Date: N/A

Reviewed By: N/A