Re: Policies for Equipment Disposal - computers and other devices with memory

[Rodney Petersen <rpetersen () EDUCAUSE EDU>]

You may also want to consult the Security Task Force's Guidelines for
Data Sanitization available at
https://wiki.internet2.edu/confluence/display/secguide/Guidelines+for+Da
ta+Sanitization  We are in the process of updating the Guidelines so we
welcome your input, including sample policies or resources to include.

I should also mentioned that we narrowly escaped a federal mandate as
part of the Higher Education Reauthorization Act that would have
required institutions to have a policy on the disposal of technology
assets which may have personal and sensitive data of students.  However,
we could expect that similar proposals will resurface in the future.  It
is important to note, as evidenced by Sally's original question, that
the definition of "technology asset" was broad in the proposed bill:  "a
computer central processing unit, monitor, printer, router, server,
peripheral devices (such as switches, hubs, and systems), firewalls,
telephones, or other simple network devices or single piece of
information technology equipment.''

Regards,

-Rodney

--------------------------------------------------
Rodney J. Petersen, J.D.
Government Relations Officer & Security Task Force Coordinator

EDUCAUSE
1150 18th Street, N.W., Suite 1010
Washington, D.C. 20036
(202) 331-5368 / (202) 872-4200
(202) 872-4318 (FAX) 
EDUCAUSE/Internet2 Security Task Force
www.educause.edu/security
-------------------------------------------------- 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
Sent: Tuesday, September 30, 2008 3:45 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Policies for Equipment Disposal - computers and
other devices with memory

On Tue, 30 Sep 2008 11:57:26 CDT, Sallie F Wright said:
> I am on the hunt for a sample policy that addresses disposal of 
> equipment that have memory/hard drives specifically related to 
> regulatory compliance. We have the computer side but I am wondering 
> what others are doing around copiers, pda's, cellphones, etc.

Is the issue "regulatory compliance", which is mostly a proper-paperwork
issue, or are you trying to address the actual data-leakage problem?

(A serious question, that - I could see how your internal risk
assessment says that the amount of data stored on a not-too-smart
cellphone is an acceptable risk, but a beancounter rule still says you
need to wipe it...)