Data and Media Disposition
Overview:
When files are improperly or inadequately purged from storage media, it is often still possible to reconstruct or retrieve data. In order to mitigate the potentially significant risk of unauthorized disclosure of PSU information, storage media must be appropriately sanitized to prevent unauthorized access to, or disclosure of, sensitive institutional information.
Getting Started:
To get started with Data and Media Disposition at Penn State, contact the Office of Information Security directly by e-mail.
To read more on Penn State guidelines on information disposal, see The Electronic Data Disposal and Media Sanitization Standard and Policy AD95: Information Assurance and IT Security.
More Information:
Information and data must be permanently erased or purged from devices. This includes, but is not limited to, computer, server, laptop, multifunction printer, medical equipment, cell phone, wearables, digital communications equipment or storage media (e.g., CD, thumb drive, tapes, hard drives, external storage devices) prior to transfer within the University or other disposition.
Effective media sanitization requires the application of identified techniques to prevent recovery or reconstruction of residual stored information on the media appropriate to the classification level of the information and type of media. Some methods of data destruction are more complicated, time-consuming, or resource intensive than others. Selection of the appropriately approved sanitization technique must be based on the information classification level: the higher the classification, the more stringent the data destruction methodology.
The primary responsibility for electronic data disposal and media sanitization rests with the units or individuals that purchased them. Units and individuals are required to document a record of storage media data removal and retain it for a period of three years media that stored moderate, high, or restricted data.
This service is part of the Research Data category.
Summary
Availability:
- This is an active service
Eligibility:
- This Standard is applicable to all members of the Penn State community, and applies to all locations and operations of the University, including any third-party provider with a contractual relationship with the University that maintains the same information types
Requirements:
- In addition to being a widely accepted security and privacy practice, effective media sanitization is required by some regulations that Penn State is obligated to follow, including`the Gramm-Leach Bliley Act (GLBA), International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), and Health Insurance Accountability Act (HIPAA)
Information Security:
- Failure to properly purge information in a manner that renders the information unrecoverable may pose a significant risk to the University since information often can easily be recovered with readily available tools.
- Requests for exceptions to this standard or the governing Policies should be made following the Requests for Exceptions to Information Security Policy
Support:
- For assitance in determining the correct Data and Media Disposition method for information in your possession, please contact the Office of Information Security directly by e-mail
- If reporting a security incident, please refer to the OIS's Incident Response Quick Guide for the apprpriate action to take