RETIRED COMPUTER EQUIPMENT
CLEANING PROCESS
The university must ensure that all surplus computer equipment has been cleansed of
university information. In order to accomplish this, Surplus Equipment Management
(SEM) has made arrangements with UCit to clean and verify that all data is removed
from the drive or drives before being offered for purchase. There will be a $5.50 fee for
this service. The process will proceed as follows:
1. The originating department contacts SEM, informing them they have computer
equipment to retire.
2. SEM sends the department retiring the computer/server a sticker to place on each
piece of equipment containing a hard drive. The department completes the sticker
with contact name, phone number and a funding line for the appropriate charge.
3. The department contacts Grounds and Moving to transfer the equipment to SEM.
The department can deliver the equipment on their own if they desire.
4. SEM contacts the UCit Help Desk. The Help Desk creates an Applix ticket for
UCit Desktop Services. Desktop Services will work with SEM to perform the
cleaning and verification processes on a regularly scheduled basis.
5. Desktop Services will evaluate and clean each unit’s data storage device using a
software cleaning utility. The utility will override the hard drive 7-10 times with
numeric and alpha-numeric characters. UCit will perform hashing to verify the
hard drive has been cleaned. One staff member will clean the drive and a second
will verify successful cleaning.
6. UCit will then: load the disk operating system on to the device, record the serial
and property tag numbers for auditing purposes and place a tag on each unit with
the date, time, name of the technician performing the cleaning process and name
of the technician verifying the process.
Computer and Electronic Media Disposal Policy
Background
Various types of computer hardware and electronic media throughout the university store
large volumes of electronic data. Much of this data consists of confidential and sensitive
information, including student records, financial data, personnel records and research
information. The University of Cincinnati must comply with several federal laws
establishing responsibilities for protecting this information, including the Family
Educational Rights and Privacy Act (FERPA), the Federal Privacy Act, the Health
Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act.
Many computers that are no longer needed by UC departments and contain confidential
information must be cleansed of this data before the university disposes of it. All forms
of electronic storage media (CDs, DVDs, floppy disks, Zip disks, USB flash drives, tapes
and microfilm/microfiche) no longer needed by UC departments and containing
confidential information, must be disposed of properly.
SEM, in conjunction with UCit and Public Safety, has developed the following policy
with regard to surplus and disposal of computers.
Computer Disposal Policy
All computers and electronic storage devices, including but not limited to hard drives
(including drives that are removed from devices as a result of maintenance or upgrades),
laptop, server, mainframe, or handheld computers, must be properly cleaned of sensitive
data and software before surplusing and disposal of the equipment. This must be done
utilizing software compliant with United States Department of Defense standards.
Procedures
Deleting visible files is not sufficient data removal. Reformatting the whole disk will
also not prevent the recovery of old data. The university must electronically wipe the
data using a secure data deletion program that writes random data in multiple passes or
the physical media must be destroyed.
UCit Desktop Services and SEM have developed a data cleansing service to be used on
all computer hardware sent to SEM for surplus. The university must clean every
computer it disposes of using this service.
Electronic Media Disposal Policy
All electronic media (such as hard drives that are removed from devices as a result of
maintenance or upgrades, CDs, DVDs, floppy disks, Zip disks, USB flash drives, tapes,
microfilm/microfiche and any other form of removable storage media) containing
confidential information (financial, human resources, vendor, research, etc.) must be
destroyed/shredded by the department that possesses them or by a document destruction
company that will take ownership and issue a certificate of destruction. A certificate of
destruction provides a legal audit trail for the sensitive information.
Procedures
UC departments must not place electronic media, microfilm or microfiche in trash cans
for disposal with the daily trash. These materials must be destroyed by the responsible
department or by a document destruction company that can issue a certificate of
destruction.
For media that cannot be wiped (e.g., inoperable/damaged hard drives, DVDs) or
degaussed (CD-ROMs), destruction of the media is the most effective means of ensuring
that data cannot be recovered. Destruction of media can be accomplished by a number of
methods including shredding disk platters, grinding the surfaces off of CDs and
incinerating tapes. Shredders, such as Royal’s MD 100 CD/media destroyer and paper
shredder are effective at destroying CDs, DVDs, floppy disks and credit cards.
Document Destruction, LLC (http://www.docdestruction.com/) is a recommended local
company that is HIPPA and FACTA compliant, bonded and insured, which will come to
the office, pick up the media, destroy it, and provide a certificate of destruction for $.15
per pound.