Disposal of Media Equipment Policy

Media Destruction Guidelines

Internal 2 of 5

1. Scope

This Guideline is applicable to all the media assets used in Information Dynamics, including but limited to data tapes and compact discs.

2. Purpose

The purpose of this Guideline is to have a detailed and secure disposal / re-use in place for media used for storing information assets.

All Information Assets of Information Dynamics requiring disposal /downgrade are in scope.

This Guideline is targeted at all personnel who have access to the information assets of Dynamics and are responsible for Disposal i.e.

o Asset Users & Owners

o Process/ Functional Heads

o Information Manager

o Information Management Steering committee

3. Guidelines

All requests for disposal of an asset should be accompanied by an authorized ‘Media Disposal request’ form. The need for disposal is identified and approved by the asset owner.

3.1. Disposal of IT Assets

▪ Prior to disposal / removal of any IT equipment the IT team should ensure that the data the equipment backed up and is formatted /sanitized.

The steps should performed for disposal of IT assets:

▪ The concerned department on receipt of the approved Information Dynamics Disposal Request Form shall sanitize the asset if required as per the following process:

o Any Information Dynamics data on the device / resource, and software licensed to Information Dynamics, should be removed from the asset.

Note: Merely deleting the files is not sufficient to achieve this, since data recovery software could used by a new owner to "undelete" such files.

o disposal should be based on the guidelines prescribed in the classification of information asset.

Media Destruction Guidelines

Internal 3 of 5

Restricted

Confidential

Internal

Public

Completely destroy all magnetic media

Completely destroy all media

Completely destroy all magnetic media.

No special requirements

Completely destroy floppy diskettes.

Preferably destroy floppy diskettes

Preferably destroy floppy diskettes and tapes. the hard disk

Format disks.

hard disks

Owner to observe and verify the same.

o and Disk Cleaning be per the following matrix:

Note: containing Sensitive/ data should be destroyed rather than securely deleted

Media

Deletion steps

Sanitization steps

Non- Rigid Disk (hard drive)

A,C or E.

Rigid (Zip, other)

A,B

A,C or D.

Read Many, Many (CD-RW)

Read Only (CD-ROM)

Paper/Document

Deletion/Sanitization Steps:

Degauss ( nonmagnetic)

all addressable locations with a character

Overwrite all addressable locations with a character, its complement, a random character

Destroy - Disintegrate, incinerate (burn), pulverize (demolish), shred or melt.

Destruction only if information is contained.

o disk-space previously used by files should overwritten with new, meaningless - some fixed pattern (e.g. binary zeroes) or data. Similarly, the whole hard disk may not in itself prevent the recovery old data, as it possible for disks be "unformatted".

▪ The concerned personnel should be on disposal of the asset.

▪ In addition, hard should be formatted in the following conditions:

Media Destruction Guidelines

Internal 4 of 5

o Disposing of old workstations or servers;

o Return / Disposal of workstations, servers and taken on hire; and

o Issuing workstation laptop to new users.

3.2. Destruction of Project related data

The following process should be followed before destruction of confidential and sensitive data:

o The IT Infrastructure Group should obtain a documented confirmation for the request for data destruction with approval from Process Head/Functional Head.

o The request should also contain the type of data destruction confirmed by the Process Head/Functional Head.

o The Process Head/Functional Head should send IT a list of people involved in the project.

o The IT Group shall list the assets affected and verify the data that should be destroyed. The same is confirmed with the Process Head/Functional Head.

▪ IT Group start the data process in the phases:

o Delete from the PC every team member involved in project

o Delete the data from central storage (i.e., Servers and SAN)

o the data backup tape cartridges (in case of complete data destruction)

o Delete data from other USB or external device (if available and during the project) and

o After deleting the data, the IT Group should generate a report for data destruction and send it to the concerned Head/Functional Head .

There could be two types of data destruction:

3.2.1. Partial Data Destruction

this case, data shall be deleted permanently the and central storage (i.e., Server or SAN), shall be available on backup tape cartridges. These tape cartridges shall be stored in an offsite location on a monthly/yearly basis. If the data required at a later period, can easily be recovered from the tape cartridges.

3.2.2. Complete Data Destruction

In this case, data shall be deleted from source storage available in Information Dynamics. Under this form of data destruction, data once

Media Destruction Guidelines

Internal 5 of 5

deleted cannot be recovered under any situation. Given below are possible sources of which data gets deleted:

▪ Hard disk drive of usersdesktop

▪ disk of servers

▪ Storage area network

▪ tape cartridges

▪ Any other media such USB device, external hard disk drives, etc

3.3. Data destruction of Hardcopies / Printed Data

Paper shredders should be used to destroy sensitive and confidential documents that are not required. A record should be maintained for all confidential / sensitive data that has been destroyed.

Retention period of the record should be 12 years.

4. 27 References

• A.10.7.1 Management of removable media

• A.10.7.2 Disposal media

• A.10.7.3 Information handling procedure

5. Related Documents

• Disposal Request form

• Record destroyed data