The purpose of this document is to provide guidance in meeting the university’s obligation to ensure secure disposal of hardware and media and to protect university information resources through the proper disposal of obsolete equipment and media.
UNC Charlotte Standard for Information Classification and Guideline for Data Handling outline levels of data classification and guidance for protecting university information resources from unauthorized access or disclosure. Responsibility for data protection does not end when hardware or media are being decommissioned. Steps should be taken to ensure data is appropriately removed or destroyed when hardware or media are being considered for disposal, surplus or redeployment.
All constituents of the university have a responsibility to ensure the confidentiality of sensitive or proprietary information residing on computer systems and other digital storage devices and media.
All computers and digital storage devices including, but not limited to desktop workstations, laptops, servers, tablets, copiers, printers, multifunctional devices, Point of Sale terminal equipment, external hard drives, disks and flash drives are covered under the provisions of this guideline.
Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact ITS Information Security Compliance ISCompliancefirstname.lastname@example.org.
Secure disposal of hardware and media minimizes the risk of confidential information being access by unauthorized persons. Data contained on computer systems and other digital storage devices and media must be permanently removed by destroying, purging, or clearing. The disposal method should be commensurate with the level of sensitivity of data stored or potentially stored upon the device or media. These guidelines also apply to some printers, copiers, and multifunctional devices that contain hard drives where information may be stored. Contact the university eCommerce Office for guidance on the disposal of Point of Sale terminal equipment.
NOTE: If the hardware or media is not being redeployed within the university (i.e., submitted to Surplus), the drive or device should be destroyed via shredding.
- Hardware or media containing Level 0 or 1 data may be wiped using specialized software designed to overwrite information (Active@KillDisk is a free download).
- Hardware and media containing data classified as Level 2 or 3 should go through a Department of Defense (DOD) three-pass erasure.
- Devices should be securely stored while awaiting erasure.
- Collection and disposal services may be used if contractual agreements are in place to address adequate controls and experience.
ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.
Initially approved by Information Assurance Committee 2/23/15