Educause Security Discussion mailing list archives
Re: copier harddrives in the news
From: Allison Dolan <adolan () MIT EDU>
Date: Tue, 11 May 2010 10:49:43 -0400
We also had a flurry of activity in the past month re: policy re: sanitizing copiers. The central group that handles copier leases for many area received the item below from the company they work with, and we are also working on language for vendors that don't go through the central group.
Allison F. Dolan Program Director, Protecting Personally Identifiable Information Massachusetts Institute of Technology On May 11, 2010, at 10:40 AM, Basgen, Brian wrote:
We have been discussing this item for the past couple of weeks internally. We have made the following changes to our disposition policy: (1) For copiers/printers we own, drives must be removed during the disposition process, and will be crushed. (2) For leased copiers/printers, we are currently working on language to add to all of our contracts/lease agreements.~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Office Pima Community College Office: 520-206-4873 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[Copier Vendor Company Name] Security Policy and Procedure for Returned EquipmentThe following policy and procedure was developed to address the need to destroy all customer data in both the non volatile memory and hard disk drives being returned to the organization.
This procedure applies to all equipment being returned from the customer that was sold, rented, or leased through the organization .
All sites throughout the organization are required to follow this policy. The procedure stated below is the responsibility of the warehouse manager who will oversee its compliance.
Procedure1. There will be an area designated in each warehouse to stage all equipment returned from the customer. Equipment will remain in this area until the data destruction has been performed.
2. Equipment will be powered on and reinitialized to remove any customer data in the non volatile memory.
3. All data on the hard drive will be destroyed using the manufacturer’s procedures. If the equipment cannot be powered on, the hard drive will be removed and destroyed.
4. Once completed, the following form will be completed and signed by the employee performing the data destruction.
5. One copy of the completed form will be attached to the machine in plain view. The original will be filed with the customers records as proof the procedure was followed.
============= Equipment Return Security Checklist Customer Name:______________________________ Date:_______________Machine ID:___________ Serial Number:___________________________
Procedures PerformedEquipment Initialized: YES NO
Data on hard drive destroyed: YES NO
Hard drive removed and destruction(If needed): YES NO
Copy of checklist attached to equipment: Original submitted for filing with customer records:Print Name: _________________ Signature:___________________
Current thread:
- copier harddrives in the news jeff murphy (May 11)
- <Possible follow-ups>
- Re: copier harddrives in the news Stucky, David (May 11)
- Re: copier harddrives in the news Valdis Kletnieks (May 11)
- Re: copier harddrives in the news Basgen, Brian (May 11)
- Re: copier harddrives in the news Allison Dolan (May 11)
- Re: copier harddrives in the news Michael Natale (May 11)
- Re: copier harddrives in the news jeff murphy (May 11)