Educause Security Discussion mailing list archives
Re: Policies for Equipment Disposal - computers and other devices with memory
From: Rodney Petersen <rpetersen () EDUCAUSE EDU>
Date: Tue, 14 Oct 2008 09:51:51 -0600
You may also want to consult the Security Task Force's Guidelines for Data Sanitization available at https://wiki.internet2.edu/confluence/display/secguide/Guidelines+for+Da ta+Sanitization We are in the process of updating the Guidelines so we welcome your input, including sample policies or resources to include. I should also mentioned that we narrowly escaped a federal mandate as part of the Higher Education Reauthorization Act that would have required institutions to have a policy on the disposal of technology assets which may have personal and sensitive data of students. However, we could expect that similar proposals will resurface in the future. It is important to note, as evidenced by Sally's original question, that the definition of "technology asset" was broad in the proposed bill: "a computer central processing unit, monitor, printer, router, server, peripheral devices (such as switches, hubs, and systems), firewalls, telephones, or other simple network devices or single piece of information technology equipment.'' Regards, -Rodney -------------------------------------------------- Rodney J. Petersen, J.D. Government Relations Officer & Security Task Force Coordinator EDUCAUSE 1150 18th Street, N.W., Suite 1010 Washington, D.C. 20036 (202) 331-5368 / (202) 872-4200 (202) 872-4318 (FAX) EDUCAUSE/Internet2 Security Task Force www.educause.edu/security -------------------------------------------------- -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks Sent: Tuesday, September 30, 2008 3:45 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Policies for Equipment Disposal - computers and other devices with memory On Tue, 30 Sep 2008 11:57:26 CDT, Sallie F Wright said:
I am on the hunt for a sample policy that addresses disposal of equipment that have memory/hard drives specifically related to regulatory compliance. We have the computer side but I am wondering what others are doing around copiers, pda's, cellphones, etc.
Is the issue "regulatory compliance", which is mostly a proper-paperwork issue, or are you trying to address the actual data-leakage problem? (A serious question, that - I could see how your internal risk assessment says that the amount of data stored on a not-too-smart cellphone is an acceptable risk, but a beancounter rule still says you need to wipe it...)
Current thread:
- Re: Policies for Equipment Disposal - computers and other devices with memory Rodney Petersen (Oct 14)