Policy 4 - Data Sanitation Policy

1.0 Purpose
The purpose of this policy is to provide a guideline for the procedure by which data may be permanently removed from any computer, server, removable media, CD/DVD, etc in such a way that the data is deliberately made non-recoverable. Employees must consult the University's Record Retention Policy prior to deleting any data. Any questions or comments about this policy should be directed to Information Systems.

2.0 Scope
This policy applies to all Murray State University owned equipment and non-Murray State owned equipment that contains university related data.

3.0 Policy
Murray State University understands the risks involved in storing data on various means of media, and also understands the need to ensure this data is secure. To do this, Murray State University requires the secure deletion of all files and information in multiple situations. These situations are described below.
  • Transfers within a Department – This situation will occur when there is a change of some sort of device (computer, laptop, external media, etc.) within the department from one person or group to another. This situation does not always require disk sanitization if the new party has the appropriate rights to the information contained on the device. If the new party does not need the information or does not have the rights to the information, then the appropriate steps should be made to ensure the device is sanitized. 
  • Transfers to a Different Department – When devices are transferred between departments, all information should be cleaned before the transfer occurs. The device should retain the data only if the two department managers/directors agree that the data needs to be shared between them. 
  • Device Disposal or Transfer Off Campus – If the device is going to be disposed of or removed from inventory, then all data should be erased before leaving campus. 

4.0 Sanitization Guidelines
All system administrators, support personnel, and/or the device owner are responsible for ensuring the device is properly sanitized or sent to Property Services for processing. The method used to sanitize the device will greatly vary depending on the level of confidentiality of the data. Refer to the Data Sanitation Standard for the level of sanitation that will be required. Any questions can be directed to the system administrator or the Information Security Officer.

5.0 Enforcement
Anyone found to have violated this policy may be subject to disciplinary action, up to and including suspension of access to technology resources or termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in action up to and including termination of their contract or assignment with Murray State University.