Disposal of IT Resources

Information Security Plan

SDSU Information Security Plan Version 1.4

Section 3.9.8

Disposal of IT Resources The Material Management Office auctions surplus computers and disk drives to the public, and destroys media that are not reusable. IT support staff are responsible for ensuring that all information, operating systems and other software (including all media) have been removed (sanitized) from the equipment sent to surplus. Management needs to ensure that proper documentation of all items for surplus are provided to the Materials Management Office when systems/media are picked up. Surplus documentation is vital to the campus inventory reconciliation process.

The IT Security Office recommends writing over the hard drive once to sanitize any remnants of information or software. Writing over the hard drive in this manner still leaves the drive usable.

Using the built-in ATA ANSI standard Secure Erase[1] command for newer ATA drives (more recent than 2001) bigger than 15GB can result in an acceptable level of sanitization, without compromising the usability of the drive.

Defective media (hard drives, tapes, etc) must be removed from systems and labeled for destruction so that Material Management can shred them to prevent access to information or licensed software.

Degaussing is another popular sanitization technique. Since the operational requirements to execute degaussing effectively could result in serious bodily harm to individuals, the IT Security Office does not recommend degaussing as a sanitization option for any electronic media.

Managers should ensure that CD-ROMs and DVDs which are no longer required are shredded (especially those containing protected information), either by Material Management or within their own department. Media containing protected information which cannot be shredded immediately should be secured until disposed of according to approved procedures.