Information Technology Services

Secure Transfer/Disposal of Client Computing Devices

The University of North Carolina at Greensboro

Policy Reference: Security of Networks and Networked Data
Approved: November 30, 2006
Document Maintainer: Associate Vice Chancellor, ITS - Client Services

---

Purpose

This procedure addresses the following sections of the related policy:

Section III.A.iv

"Follow ITS protocol for equipment disposal practices to ensure protection of data and licensed software."

Risks mitigated through the application of this procedure include mishandling and inappropriate disclosure of sensitive data and violations of University agreements with vendors regarding software licensing.

Scope

This procedure covers all University owned client computing devices that have the capacity to retain sensitive data or licensed software. This includes desktop and laptop computers, PDA's, data storage devices such as USB keychain devices, and removable storage media such as diskettes, CDs, and DVDs.

Responsible Parties

• Faculty, Staff
• ITS Employees
• IT Professionals
• University Warehouse Services Employees

Procedure

When a client computing device is to be transferred from one responsible party to another, or when the device is targeted for disposal, care must be taken to ensure that unauthorized individuals do not gain access to sensitive data and licensed software. The party responsible for the device has ultimate responsibility for ensuring that inappropriate access is not obtained. ITS will assist clients in ensuring secure transfer/disposal of devices. ITS strongly encourages all clients to transfer or dispose of computing devices such as personal computers, PDAs, and storage devices through ITS.

Storage media such as diskettes, CDs, and DVDs that contain sensitive data must be destroyed to Department of Defense standards prior to disposal. Additional information is included in section 4.1 below.

Client Responsibilities

Clients wishing to transfer or dispose of computing devices with sensitive data or University-licensed software should contact the Service Desk by calling 336-256-8324 or sending email to 6-TECH@uncg.edu to request assistance. In the case of client-specified equipment transfers, the client should identify the new intended recipient. Clients should send equipment considered to be surplus to UNCG Warehouse Services following standard UNCG surplus equipment disposal procedures. (Exception: The Data Classification Policy prohibits the storage of University restricted data on local [non-networked] storage devices. If, however, it is suspected that a device contains University restricted data, the client must request that ITS purge the device prior to sending the device to UNCG Warehouse Services.)

Clients are responsible for security of surplus equipment until that equipment is picked up by Warehouse Services. Equipment left in insecure locations risks theft of University property, and loss of licensed software and sensitive data including the personal information of previous users. Surplus equipment, therefore, should not be left in public hallways or other insecure locations for pick-up.

ITS staff will not assist in the transfer of equipment deemed to be at the end of its lifecycle or otherwise deemed not secure or incompatible with the UNCG network. Such devices should be disposed of following the steps documented in 4.2.4 below. Requests for assistance with transfer of devices not included on the Standards for Computer and Related Technology (supported products list) will be evaluated on a case by case basis. Additional client responsibilities regarding the transfer of devices not on the supported products list are detailed in section 4.2.2.b below.

It is the responsibility of end users to ensure that removable storage media such as diskettes, flash devices, CDs, and DVDs that contain UNCG restricted data are destroyed or purged prior to disposal. Recyclable media such as diskettes, CDs, and DVDs containing restricted data should not be placed in University recycling receptacles unless they are or physically destroyed.

Licensed software media should be handled by the End User Licensing Agreement (EULA). Unless otherwise required by the EULA, license keys required for operation must be destroyed and the media can be destroyed. Software media may be recycled as long as the license key required for operation is not included. The University Recycling Center does not erase data prior to sending these media to external contractors for processing. Physically destroying such media by shredding, breaking, or otherwise rendering them physically unusable is recommended.

ITS Responsibilities

Requests for assistance with equipment transfer/disposal will be directed from the Service Desk to Client Services technical staff. These staff will take the following steps to ensure proper disposal of equipment:

• ITS staff will work with the requestor to schedule a site visit at which time ITS staff will purge the device using a method known to make the previously stored data unrecoverable using the Data Removal/Media Destruction Process and will re-image the device as appropriate.
• Supported devices to be directly reassigned for campus use without being sent to University Warehouse Services (surplus) may be rebuilt to UNCG baseline standards including the base software load. Any equipment that will be sent to Warehouse Services could be sold to the public and, therefore, must be reformatted to include only an OS that does not require licensing or to have no OS. UNCG cannot agree to a software license on a machine that will not continue to be utilized on the University or for University business.
• For requests where the client has specified an intended new recipient of the device:
  • ITS staff will first purge using the Data Removal/Media Destruction Process and then rebuild items on the Supported Products List to the ITS baseline configuration and deliver the item to the intended recipient.
  • For hardware items not included on the Supported Products List, ITS staff will only purge the device using the Data Removal/Media Destruction Process. It is the responsibility of the person who requested the transfer to arrange delivery of the equipment to the intended recipient and to provide any software, peripheral equipment, instructions, and information needed for operation of the device. Aside from registering such a device on the network where appropriate, ITS will not provide assistance with devices not on the Supported Products List.
• For requests where the client has not specified an intended recipient of the device, and the device is a Supported Product not at the end of its lifecycle:
  • Devices deemed satisfactory for purposes such as testing or upgrades of older hardware may be transferred to ITS possession.
  • If ITS is aware of an appropriate new recipient of the equipment, ITS staff will securely reimage the equipment as described in 4.2.1 above, will take possession of it, and will deliver it to the identified recipient.
  • If an appropriate re-purposing need is not known, ITS staff will purge the equipment as described in 4.2.1 above. It is then the responsibility of the client to arrange for disposal of the device with University Warehouse Services.
• For requests where the client has not specified an intended recipient of the device, and the device is not a Supported Product and/or is at the end of its lifecycle:
  • Equipment will be purged using the Data Removal/Media Destruction Process and tagged to indicate it cannot be re-connected to the UNCG network.
  • It is then the client's responsibility to put in a request to have the equipment picked up by UNCG Warehouse Services.

Unit Technical Support Responsibilities

Many campus units have their own technical support staff that are responsible for setup, transfer, and disposal of equipment belonging to that unit. These staff members as well as all ITS staff must follow the same level of precautions to protect sensitive data and licensed software. ITS strongly recommends that all University technical staff complete the ITS Technical Certification program to become familiar with ITS processes for installation and removal of equipment.

UNCG Warehouse Services Responsibilities

Surplus equipment that does not contain University restricted data may be sent directly to UNCG Warehouse Services without technical staff intervention. Warehouse Services employees will place the equipment in a holding area to be processed by ITS. ITS staff will follow standard procedures for securely purging the equipment. Warehouse employees are responsible ensuring that no equipment is transferred for campus re-use or sold from the warehouse without first being processed by ITS. This applies to all computers and any other devices that may contain protected data or software (e.g., PDA's, storage devices).

Note: Refer to the Data Removal/Media Destruction Process.