Hardware Sanitization & Destruction

Effective Date: February 15, 2015
Revised Date: March 30, 2016
Reviewed Date: March 30, 2016

Purpose

The purpose of this procedure is to define the standards for the disposal of JCPS hardware and to protect the intellectual property of JCPS and the confidentiality of personal information. This procedure applies to, but is not limited to, all devices that fit the following device classifications:

  • Portable and notebook computers running Windows, UNIX, Linux, or Mac OS operating systems
  • Workstations running Windows, UNIX, Linux, or Mac OS operating systems

The following devices and storage media are not specifically addressed by the terms of this procedure but must be sanitized accordingly:

  • Servers should be backed up and sanitized in accordance with vendor recommendations. If the vendor has not provided recommendations, servers can be sanitized as workstations.
  • Mobile devices, such as tablets and smartphones, must be destroyed by crushing, incineration, shredding, or melting prior to disposal.
  • Removable storage media must be destroyed by incineration, shredding, or melting prior to disposal

Definitions

  • Storage Media—Hard drives, solid state drives, USB drives, SD cards, DVD/CD platters
  • Sanitization—Refers to the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed (NIST 800-888)
  • Destroy—Physical destruction of storage media through shredding, incineration, crushing, drilling

Scope

The procedure applies to all hardware owned or leased by JCPS and capable of storing JCPS's intellectual property or information related to the privacy of JCPS employees, students, clients, or suppliers.

This procedure is complementary to any previously implemented procedures dealing specifically with hardware retention and disposal, including JCPS Fixed Asset Guidelines.

Scenarios for Sanitization/Destruction

JCPS recognizes several categories for the sanitization/destruction of hardware:

  • Hardware that is repurposed to a different department or to an employee with equal or less authority must be sanitized.
  • Hardware transferred externally. All hardware transferred externally must be sanitized/destroyed according to the methods defined in this policy. This scenario includes:
    • Hardware transferred to public auction.
    • Hardware donated to charitable organizations.
    • Hardware returned to a lessor.
    • Hardware returned to a vendor for servicing or maintenance.
    • Hardware released to an external agency for disposal.
  • Hardware with no value to JCPS “End of Life.”
    • Destroy the hard drive.

Technical Guidance on Sanitization

Two different methods may be used to sanitize hardware:

  • Physical destruction—Storage media may be sanitized through hard drive crushing, shredding, incineration, drilling, or melting.
  • Digital sanitization—Deleting files is insufficient to sanitize storage media. Tabernus LAN Erase (http://www.tabernus.com), a disk sanitization tool, will be used. The tool conforms to the following standard: DoD 5220-22.M.

Procedure Statement on Sanitization

Consult with the Information Technology (IT) Department prior to disposing of any computer equipment. IT is the primary contact for sanitization/destruction issues. They will provide an approved sanitization tool and provide assistance in properly sanitizing or destroying storage media. IT or their designee must maintain a certification that the equipment has been properly sanitized/destroyed before it can be surplused, transferred, or donated. Certification statements should be maintained by IT staff.

Procedure Noncompliance

The Chief Operating Officer, and the employee’s immediate manager or director, will be advised of breaches of this policy and will be responsible for appropriate remedial action, up to and including termination of employment.

Contacts

If you have any questions or concerns regarding this process, or would like to report a violation, contact the IT Service Desk at (502) 485-3552 or http://jcps.me/help.