Body
| |
|
| Issued Under Authority of |
UM Information Security Policy |
| Responsible Office |
UM Information Security Office |
| Category |
Data Protection and Lifecycle |
IN PLAIN LANGUAGE
When a University device or storage media is no longer needed — whether it's being reassigned, surplused, or discarded — the data on it must be securely erased before it leaves University control. This standard establishes how that erasure must be done, using methods appropriate to the sensitivity of the data involved. All University-owned devices are treated as if they contain sensitive data by default, so sanitization is required in every case, not just when you know sensitive data is present. Physical destruction is an option when secure erasure isn't technically feasible. Proper documentation of sanitization must be retained for at least three years.
1. Purpose
The purpose of this Standard is to establish minimum requirements for the secure disposal and sanitization of storage media and devices that store, process, or transmit University Data. Proper disposal and sanitization reduce the risk of unauthorized disclosure, regulatory non-compliance, and reputational harm to the University.
This Standard implements data lifecycle and protection requirements defined by the UM Information Security Policy and the IT Data Security Standard, and aligns with recognized best practices including NIST Special Publication 800-88.
2. Scope
This Standard applies to:
- Digital University Data, including data stored, processed, or transmitted electronically
- All information systems, applications, devices, and services that store, process, or transmit digital University Data
- All members of the University community, including employees, students, affiliates, contractors, and third parties acting on behalf of the University
This Standard applies across all University of Montana System campuses and environments, including on-premises, cloud-hosted, and third-party systems. Non-digital records are governed by records management, privacy, and other applicable University policies.
3. Relationship to Data Governance
The UM Data Governance Policy defines data ownership, stewardship, and classification. This Standard does not redefine data classification; instead, it establishes required sanitization and disposal controls once data classification has been determined.
4. Roles and Responsibilities
The CISO is responsible for:
- Establishing and maintaining this Standard
- Approving exceptions to disposal or sanitization requirements
- Escalating material data disposal risks to executive leadership
4.2 UM Facilities
UM Facilities is responsible for:
- Managing the disposition and surplus of University-owned property
- Coordinating physical destruction of storage media when required
- Retaining Certificates of Sanitization or Destruction as appropriate
UM IT, UM System IT, and Distributed IT are responsible for:
- Providing approved tools and methods for data sanitization
- Performing or coordinating sanitization when requested
- Advising units on compliant disposal practices
4.4 Units, Departments, and Individuals
Units, departments, and individuals are responsible for:
- Ensuring devices and media under their control are sanitized prior to transfer or disposal
- Coordinating with UM IT or UM Facilities when required
- Retaining required documentation for sanitization activities
5. Sanitization Requirements
5.1 General Requirement
All University-owned devices are assumed to contain at least Restricted (Moderate Risk) Data. As a result:
- All University-owned devices must be sanitized prior to transfer, reuse, surplus, or disposal
- Devices containing Confidential (High Risk) or Restricted (Moderate Risk) Data must not be transferred or disposed of without documented sanitization
5.2 Approved Sanitization Methods
Sanitization must be performed using University-approved methods consistent with NIST SP 800-88:
Clear — Logical techniques that sanitize data in user-addressable storage.
Purge — Techniques that protect against laboratory-level data recovery.
Destroy — Physical destruction rendering media unusable.
The appropriate method depends on data classification, media type, and intended disposition.
5.3 Physical Destruction
When secure erasure is not technically feasible:
- Storage media must be physically destroyed using approved methods
- UM Facilities may coordinate destruction through approved third-party vendors
- Units are discouraged from performing physical destruction independently
6. Personally Owned Devices
Personally owned devices used to access or store Confidential (High Risk) or Restricted (Moderate Risk) Data must be securely sanitized prior to disposal, transfer, or resale.
The University strongly encourages sanitization of all personal devices prior to disposal, even when University Data is not believed to be present.
7. Specialized Equipment
7.1 Multifunction Devices
Devices such as copiers, printers, scanners, and fax machines may retain cached data.
- Units must ensure appropriate hardening during use
- Prior to return, transfer, or disposal, cached data must be rendered unrecoverable
- Vendors servicing managed print programs are responsible for sanitization as defined by contract
8. Documentation and Retention
- Sanitization or destruction of media containing Confidential (High Risk) or Restricted (Moderate Risk) Data must be documented
- Certificates of Sanitization or Destruction must be retained for at least three years unless longer retention is required by law or contract
- Documentation may be maintained by the unit, UM IT, UM Facilities, or an approved third party
9. Exceptions
Exceptions to this Standard must:
- Be documented with risk justification
- Identify compensating controls where applicable
- Be approved by the CISO or designee
- Be reviewed periodically
10. Violations
Failure to comply with this Standard may result in:
- Increased risk of data exposure or regulatory non-compliance
- Financial penalties, legal costs, or remediation expenses
- Disciplinary action consistent with University policy
11. Review and Maintenance
This Standard must be reviewed at least annually and updated as necessary to reflect changes in risk, technology, or regulatory requirements.
12. References
- UM Information Security Policy
- UM IT Data Security Standard
- UM Data Governance Policy
- UM Information Security Risk Management Standard
- NIST SP 800-88, Guidelines for Media Sanitization
- Montana University System BOR Policy 1308