Disposal of Computers
Number: ENT-SEC-141
Established for: State of Montana Information Technology Enterprise
Janet Kelly, Director
Department of Administration
Jeff Brandt, Acting CIO
Department of Administration
Date: August 3, 2005
Policy - Requirements
SCOPE
This policy applies to all state agencies of the Executive branch; and, by adoption, the Judicial and Legislative branches. This policy does not apply to the Montana University System or the Office of the Commissioner of Higher Education.
This policy applies to personal computers, other computing devices, and accessory equipment that store electronic data, information, and software programs.
PURPOSE
When disposing of information technology (IT) equipment, agency directors have a responsibility to assure that sensitive information is protected. Additionally, licensed proprietary software must be protected against unauthorized distribution. Sensitive information includes data required by law to be protected from disclosure to individuals and entities both inside and outside of state government. This policy outlines disposal requirements for protecting these IT assets by either of two methods: (1) destruction of the IT device; or, (2) complete removal of all electronic data from the computer storage device. The state agency must perform at least one of these actions before disposing of the device.
DEFINITIONS
Disposal - The authorized removal of an IT storage device from an agency’s control or possession, regardless of the means by which this is accomplished.
Computer Storage Device – Includes, but is not limited to: personal computers with hard drives, servers with hard drives, other assets with hard drives or loose/unattached hard drives.
Sanitize - A process used to assure that data is destroyed or removed from an IT storage device. This may be achieved by physical destruction of the device or by the proper use of specialized software utility programs that overwrite the data so that it is unrecoverable. Note: This sanitizing process is also known as a “cleaning” process.
Removable storage Media – Includes, but is not limited to: floppy diskettes, compact disks (CD’s), magnetic tapes, digital video devices (DVD’s), Zip media, and Flash media.
Physical Destruction – To incinerate, pulverize, shred, or melt the computer storage device or component that is capable of storing electronic data or software programs.
DISPOSAL REQUIREMENTS
All computer storage devices must be sanitized prior to disposal, regardless of where the agency chooses to dispose of them. State agencies and their employees shall follow these requirements when disposing of a computer storage device or removable storage media.
All agency data and software programs must be removed from the hard drive prior to its disposal; or, alternatively, the hard drive must be destroyed. To remove data and software, agency IT personnel should use a Department of Defense (DoD) 5220.22-compliant sanitation program that will effectively sanitize the hard drive. The program uses the DoD’s “three-pass” process to: (1) overwrite all electronically addressable locations on the device with a character; (2) overwrite it again with the same character’s complement bit configuration: and then (3) overwrite it again with a random character. Finally, the program will perform a verification process to assure that the sanitizing has been accomplished.
If the data storage device cannot be put through this process because it is not functional, the device must be physically destroyed. Software products are available, both freeware and purchased, that comply with DoD requirements for storage sanitation. See the state’s software standards for a list of acceptable products. For more information from the DoD regarding the topic of Automated Information System Security, see the Department of Defense three pass process.
For more information about the state’s Recommendations for Sanitation of Digital Storage Media, go to the state’s MINE website. Click on Information for IT Professionals, then click on Office of Cyber Protection Services, then Security Topics, then Recommendations for Drive Sanitation Prior to Disposal of Computers.
All removable storage media must be physically destroyed.
Agency directors are responsible for maintaining documentation on all electronic data storage devices (e.g., PCs, laptops, servers, PDAs) that have been either destroyed or sanitized. These records must be retained by the agency for two years.
The disposal records shall contain the following information:
- Device identification (vendor serial number or Dell service tag number)
- Date of cleaning
- Employee name performing cleaning
- Method of cleaning
- Destination of device (surplus, landfill, etc)
- Disposing Agency
All computer storage devices must be sanitized prior to disposal, regardless of where the agency chooses to dispose of them. Agencies disposing of equipment through the Property and Supply Bureau’s Surplus Equipment program or by donating their surplus functional equipment to the Office of Public Instruction (OPI) should contact these entities for a copy of their additional requirements.
Background - History on the creation of or changes to this policy
The Information Technology Security Office of the Information Technology Services Division created this policy. Information contained in this policy originated from the Section 1-0250.00, MOM.
This policy was revised in June of 2005 to adopt the Department of Defense three-pass disk sanitation process and requires agency record-keeping of computer disposals. Additionally, the scope of the policy was expanded to include all IT Data Storage Devices.
References - Laws, rules, standard operating procedures and applicable policies
MCA 2-17-512; MCA 2-17-532-534; MCA 2-15-114;
“Recommendations for Disposal of Computers” created by the Information Security Committee.
Surplus Property guidelines
This policy (ENT-SEC-141) replaces policy ENT-SEC-140 effective August 2, 2005.