Device Sanitization Policy
Version 1.0
For Students, Faculty, Staff, Guests, Alumni
Purpose
The purpose of this policy is to ensure data is permanently erased from electronic storage devices to mitigate the risk of unauthorized access to Fordham Protected Data and Fordham Sensitive Data and comply with data protection regulations.
Scope
This IT security policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrators, staff, alumni, authorized guests, delegates, and independent contractors (the "User(s)" or "you") who use, access, or otherwise employ, locally or remotely, the University's IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- All electronic storage devices, including tablets and mobile phones, should be sanitized when no longer necessary for business use, provided that the sanitization does not conflict with the University’s Records Retention and Disposal Policy.
- The Office of Information Technology (OIT) must ensure that all Fordham Protected Data or Fordham Sensitive Data is sanitized from devices before retiring, repurposing, or transferring1 ownership to another department.
- The OIT must use media sanitization tools that comply with industry standards and adhere to recognized sanitization methods.
- OIT must ensure that the sanitization tools provide a certificate/proof of data erasure, including the date, time, personnel involved, and the method used, when available.
- OIT must dispose of solid-state drives (SSDs) or hard disk drives (HDDs) containing data per the Records Retention and Disposal Policy.
- Deviations from industry-accepted methods related to data sanitization must be done in collaboration with Information Security and Assurance.
Definitions
IT Resources include computing, networking, communications, applications, telecommunications systems, mobile phones, tablets, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and related materials and services.
Sanitization is a process that renders access to data on the media infeasible for a given level of effort. Clearing, purging, wiping, and destroying are actions that can be taken to sanitize media.
Related Policies and Procedures
Records Retention and Disposal Policy
1 May include transitioning a User to a different role or department.
Implementation Information
| Review Frequency: | Triennial |
|---|---|
| Responsible Person: | Senior Director of IT Security and Assurance |
| Approved By: | CISO and CIO |
| Approval Date: | May 29, 2024 |
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 | 05/29/2024 | Initial document |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.