Re: copier harddrives in the news

[Allison Dolan <adolan () MIT EDU>]

We also had a flurry of activity in the past month re: policy re:  
sanitizing copiers.  The central group that handles copier leases for  
many area received the item below from the company they work with,  
and we are also working on language for vendors that don't go through  
the central group.

Allison F. Dolan
Program Director, Protecting Personally Identifiable Information
Massachusetts Institute of Technology


On May 11, 2010, at 10:40 AM, Basgen, Brian wrote:

>  We have been discussing this item for the past couple of weeks  
> internally. We have made the following changes to our disposition  
> policy:
>   (1) For copiers/printers we own, drives must be removed during  
> the disposition process, and will be crushed.
>   (2)  For leased copiers/printers, we are currently working on  
> language to add to all of our contracts/lease agreements.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Brian Basgen
> Information Security Office
> Pima Community College
> Office: 520-206-4873
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Copier Vendor Company Name]

Security Policy and Procedure for Returned Equipment



The following policy and procedure was developed to address the need  
to destroy all customer data in both the non volatile memory and hard  
disk drives being returned to the organization.

This procedure applies to all equipment being returned from the  
customer that was sold, rented, or leased through the organization .

All sites throughout the organization are required to follow this  
policy. The procedure stated below is the responsibility of the  
warehouse manager who will oversee its compliance.

Procedure

1.    There will be an area designated in each warehouse to stage all  
equipment returned from the customer. Equipment will remain in this  
area until the data destruction has been performed.

2.    Equipment will be powered on and reinitialized to remove any  
customer data in the non volatile memory.

3.    All data on the hard drive will be destroyed using the  
manufacturer’s procedures. If the equipment cannot be powered on, the  
hard drive will be removed and destroyed.

4.    Once completed, the following form will be completed and signed  
by the employee performing the data destruction.

5.    One copy of the completed form will be attached to the machine  
in plain view. The original will be filed with the customers records  
as proof the procedure was followed.



 =============

Equipment Return Security Checklist





Customer Name:______________________________    Date:_______________



Machine ID:___________            Serial  
Number:___________________________



Procedures Performed









Equipment  
Initialized:                                                             
       YES         NO









Data on hard drive  
destroyed:                                                       
YES         NO









Hard drive removed and destruction(If needed):                         
YES         NO






Copy of checklist attached to equipment:






Original submitted for filing with customer records:





Print Name: _________________                         
Signature:___________________