Policy Number: 12-009

Control of Electronic Media

Category: Information Technology

Responsible Executive: Vice President and Chief Information Officer

Responsible Office: Vice President and Chief Information Officer


  1. Purpose The purpose of this policy is to provide safeguards for electronic media to prevent loss of access to, or unauthorized disclosure of, University Data.
  2. Applicability This policy applies to all electronic media used with university Information Systems or University Data.
  3. Definitions Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.

Restricted Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities, that are subject to specific protections under federal or state law or regulations or under applicable contracts. Examples include, but are not limited to medical records, social security numbers, credit card numbers, Florida driver licenses, non-directory student records, research protocols and export controlled technical data.

University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.

4. Policy Statement

  • All electronic media must be securely erased or destroyed prior to disposal, transfer or reuse outside of the university. The University Standard for Media Sanitization must be followed.

  • Electronic media containing Restricted Data must be protected from theft, accidental loss or damage in accordance with all UF information security and privacy policies and standards.

Additional Resources


MEDIA SANITIZATION STANDARD

Purpose

Data that has been deleted using typical Operating System provided mechanisms usually remains stored on the media, and can be easily recovered. This document provides requirements to ensure that media is securely processed to prevent data from being recovered.

Standard:

  1. Media sanitization and destruction will follow all University of Florida requirements for Records Retention
  2. Media to be reused within the same unit will be Cleared or Purged according to NIST Guidelines for the type of media.
  3. Media to be transferred to another UF unit, transferred to a non-UF entity, returned to a vendor or disposed of will be Purged or Destroyed according to NIST Guidelines for the type of media.
  4. Units will create and follow procedures to ensure that all devices and media are processed in accordance with these standards. Records will be maintained of sanitization of media transferred, to include the media sanitized, date, person performing the sanitization, and method and tool used.

Media will be stored securely and tracked between the time it is removed from service and when it is sanitized.

References:

NIST SP-800-88: Guidelines for Media Sanitization
UF Information Privacy Policies & Procedures: Storage, Retention, Archiving, and Disposal of
Restricted Information
University of Florida General Records Retention Schedule
University of Florida Records Disposition

RELATED POLICIES

PDF DOWNLOADS


History

HISTORY

Revision Description
March 7, 2017 Policy originally adopted
Policy updated