Effective Date: February 15, 2015
Revised Date: March 30, 2016
Reviewed Date: March 30, 2016
The purpose of this procedure is to define the standards for the disposal of JCPS hardware and to protect the intellectual property of JCPS and the confidentiality of personal information. This procedure applies to, but is not limited to, all devices that fit the following device classifications:
- Portable and notebook computers running Windows, UNIX, Linux, or Mac OS operating systems
- Workstations running Windows, UNIX, Linux, or Mac OS operating systems
The following devices and storage media are not specifically addressed by the terms of this procedure but must be sanitized accordingly:
- Servers should be backed up and sanitized in accordance with vendor recommendations. If the vendor has not provided recommendations, servers can be sanitized as workstations.
- Mobile devices, such as tablets and smartphones, must be destroyed by crushing, incineration, shredding, or melting prior to disposal.
- Removable storage media must be destroyed by incineration, shredding, or melting prior to disposal
- Storage Media—Hard drives, solid state drives, USB drives, SD cards, DVD/CD platters
- Sanitization—Refers to the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed (NIST 800-888)
- Destroy—Physical destruction of storage media through shredding, incineration, crushing, drilling
The procedure applies to all hardware owned or leased by JCPS and capable of storing JCPS's intellectual property or information related to the privacy of JCPS employees, students, clients, or suppliers.
This procedure is complementary to any previously implemented procedures dealing specifically with hardware retention and disposal, including JCPS Fixed Asset Guidelines.
Scenarios for Sanitization/Destruction
JCPS recognizes several categories for the sanitization/destruction of hardware:
- Hardware that is repurposed to a different department or to an employee with equal or less authority must be sanitized.
- Hardware transferred externally. All hardware transferred externally must be sanitized/destroyed according to the methods defined in this policy. This scenario includes:
- Hardware transferred to public auction.
- Hardware donated to charitable organizations.
- Hardware returned to a lessor.
- Hardware returned to a vendor for servicing or maintenance.
- Hardware released to an external agency for disposal.
- Hardware with no value to JCPS “End of Life.”
Technical Guidance on Sanitization
Two different methods may be used to sanitize hardware:
- Physical destruction—Storage media may be sanitized through hard drive crushing, shredding, incineration, drilling, or melting.
- Digital sanitization—Deleting files is insufficient to sanitize storage media. Tabernus LAN Erase (http://www.tabernus.com), a disk sanitization tool, will be used. The tool conforms to the following standard: DoD 5220-22.M.
Procedure Statement on Sanitization
Consult with the Information Technology (IT) Department prior to disposing of any computer equipment. IT is the primary contact for sanitization/destruction issues. They will provide an approved sanitization tool and provide assistance in properly sanitizing or destroying storage media. IT or their designee must maintain a certification that the equipment has been properly sanitized/destroyed before it can be surplused, transferred, or donated. Certification statements should be maintained by IT staff.
The Chief Operating Officer, and the employee’s immediate manager or director, will be advised of breaches of this policy and will be responsible for appropriate remedial action, up to and including termination of employment.
If you have any questions or concerns regarding this process, or would like to report a violation, contact the IT Service Desk at (502) 485-3552 or http://jcps.me/help.