Highline College

Explore Highline College

Connect with Highline College

Toggle Sliding Bar Area

Highline College Logo
Apply Now

1.4 Equipment Sanitization and Disposal Standard

Home/IT Security/IT Security Policy/1.4 Equipment Sanitization and Disposal Standard
1.4 Equipment Sanitization and Disposal Standard 2025-03-25T12:44:30+00:00

1.4 Equipment Disposal Standard

  • 1.4.1. Equipment and Data
    • 1.4.1.1. Highline College’s formal, written storage media sanitization and disposal processes and procedures must be adhered to and satisfy all requirements.
    • 1.4.1.2. Special requirements of the data regarding contracts and other requirements ITS may not be aware of must be communicated to ITS upon delivery. Including, but not limited to:
      • 1.4.1.2.1. Unclassified Controlled Information (CUI).
      • 1.4.1.2.2. Institutional research data.
      • 1.4.1.2.3. A confirmed or potential investigation or legal hold.
    • 1.4.1.3. Highline College shall sanitize and relinquish equipment by surplus, recycle, disposal, or other means in accordance with applicable laws, contracts, policies, and other requirements.
    • 1.4.1.4. ITS will document their receiving of the equipment in a manner that satisfies this policy and any other requirements.
    • 1.4.1.5. ITS shall ensure workers are aware of data sensitivity and requirements for media sanitization and secure disposal prior to assigning a worker with any media sanitization or disposal tasks. This will include:
      • 1.4.1.5.1. Classification and protection of data.
      • 1.4.1.5.2. Records/data retention requirements.
      • 1.4.1.5.3. Relevant policies, standards, guidelines, processes, and procedures.
  • 1.4.2. Protection
    • 1.4.2.1. Information Technology equipment and data must be protected against unauthorized access, misuse, or corruption from the time it is removed from operational status to the time it is sanitized or disposed of, whether within the agency or outside the agency’s physical boundaries.
    • 1.4.2.2. To prevent and detect loss, destruction, or tampering, protections can include:
      • 1.4.2.2.1. Physical or procedural security to limit access.
      • 1.4.2.2.2. Locked containers to limit access.
      • 1.4.2.2.3. Cryptographic mechanisms.
    • 1.4.2.3. If transported, the following should be logged and retained:
      • 1.4.2.3.1. Date and time of the move or transport.
      • 1.4.2.3.2. Name(s) of authorized transport and courier personnel. Including individuals external to the organization.
    • 1.4.2.4. ITS may outsource the sanitization or destruction action to a third party with stipulations to ensure adherence to Highline College information technology policies, standards, and any other requirements.
  • 1.4.3. Equipment Disposal
    • 1.4.3.1. shall carry out all equipment sanitization and relinquishing of Highline College information technology equipment.
    • 1.4.3.2. If the information technology equipment has data on it, ITS will identify the highest category of data present, document, and remove all data from the equipment in a manner that results in the data being unrecoverable in accordance with all applicable laws, contracts, policies, and other requirements.
    • 1.4.3.3. To assure that proper sanitization is maintained, ITS must test at least 10% of its sanitized media to ensure the selected method works as desired.
    • 1.4.3.4. No information technology equipment should be disposed of via skips, dumps, landfill etc. Electronic recycling bins may be periodically placed in locations around Highline College that ITS may use to dispose of information technology equipment. ITS will properly remove all data in accordance with this policy prior to disposal.
  • 1.4.4. Records of Actions
    • 1.4.4.1. Sanitization and disposal actions must be logged.
    • 1.4.4.2. The logs and documentation of sanitization and disposal must be protected against unauthorized access.
    • 1.4.4.3. All media sanitization and disposal actions must be documented. Records must include:
      • 1.4.4.3.1. Information about the storage media (type, serial number, and other unique identifiers).
      • 1.4.4.3.2. The highest category are or were ever contained on the storage media.
        • 1.4.4.3.2.1. If category 4, which specific types of data are or were ever contained on the storage media.
      • 1.4.4.3.3. The destination of the storage media (if known).
      • 1.4.4.3.4. The date the storage media was sanitized.
      • 1.4.4.3.5. The person performing the activity.
      • 1.4.4.3.6. The method that was used to sanitize the storage media.
      • 1.4.4.3.7. The logging of actions serves as an attestation from the person who carried out the action and is responsible for and ensuring that all data on the storage media has been rendered unusable.
  • 1.4.5. Data Retention
    • 1.4.5.1. Retain data according to the policies, standards, process, and procedures of Highline College’s Public Records Office.
      • 1.4.5.1.1. If the equipment is involved or relating to an on-going legal or other investigation, the data and equipment may neither be sanitized nor disposed of.
      • 1.4.5.1.2. Prior to device sanitization, relocation, or transfer a backup of existing data that should be retained must be completed.
      • 1.4.5.1.3. Any data relocations, transfers, or backups should be performed in a manner that retains the metadata associated with the files and data.
  • 1.4.6. Data Sanitization
    • 1.4.6.1. Agencies must establish formal storage media sanitization and disposal procedures to render the stored data unusable.
    • 1.4.6.2. Memory or storage mediums of technology equipment with non-functioning memory or storage capability must be removed and be physically destroyed. If a piece of equipment no longer functions, an attempt to use appropriate working parts from other equipment of the same or similar model should be made to perform the data sanitization. This method should not be used unless all other methods have been explored and attempted first.
    • 1.4.6.3. ITS will label the equipment before sanitization has been performed. The label will be removed once the equipment has been redeployed or relinquished. The label must include:
      • 1.4.6.3.1. The asset or identification number for ease of reference.
      • 1.4.6.3.2. used.
      • 1.4.6.3.3. The date(s) the sanitization or destruction action(s) took place.
      • 1.4.6.3.4. The initials of the responsible technician who performed the sanitization or destruction actions.
    • 1.4.6.4. Cryptography must not be used for any sanitization or disposal purposes.
  • 1.4.7. Sanitization Method
    • 1.4.7.1. One of these three types of sanitization methods must be selected based on data sensitivity: clear, purge, or physical destruction.
    • 1.4.7.2. If device/storage media will not be reused, the storage media must be physically destroyed.
    • 1.4.7.3. If device/storage media will be reused:
      • 1.4.7.3.1. If it will leave the control of Highline College:
        • 1.4.7.3.1.1. If it has category 4 data, the storage media must be sanitized per the special handling requirements commensurate with category 4 data and the specific data types present.
        • 1.4.7.3.1.2. If it has category 1, category 2 data, or category 3 data, the storage media must be purged.
      • 1.4.7.3.2. If it will not leave the control of Highline College:
        • 1.4.7.3.2.1. If it is mobile equipment, the storage media must be purged.
        • 1.4.7.3.2.2. If it is not mobile equipment:
          • 1.4.7.3.2.2.1. If the designation and data sensitivity will change, or the future designation is not known at the time of sanitization, the storage media must be purged.
          • 1.4.7.3.2.2.2. If the designation and data sensitivity will not change, the storage media may be cleared as a minimum measure.

 

1.4.7. Revision History

Date By Summary
 11/07/2016  KG  Approved standard.
 03/13/2025  TW  Update approved.