Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Policies for Equipment Disposal - computers and other devices with memory
From: Rodney Petersen <rpetersen () EDUCAUSE EDU>
Date: Tue, 14 Oct 2008 09:51:51 -0600

You may also want to consult the Security Task Force's Guidelines for
Data Sanitization available at
ta+Sanitization  We are in the process of updating the Guidelines so we
welcome your input, including sample policies or resources to include.

I should also mentioned that we narrowly escaped a federal mandate as
part of the Higher Education Reauthorization Act that would have
required institutions to have a policy on the disposal of technology
assets which may have personal and sensitive data of students.  However,
we could expect that similar proposals will resurface in the future.  It
is important to note, as evidenced by Sally's original question, that
the definition of "technology asset" was broad in the proposed bill:  "a
computer central processing unit, monitor, printer, router, server,
peripheral devices (such as switches, hubs, and systems), firewalls,
telephones, or other simple network devices or single piece of
information technology equipment.''



Rodney J. Petersen, J.D.
Government Relations Officer & Security Task Force Coordinator

1150 18th Street, N.W., Suite 1010
Washington, D.C. 20036
(202) 331-5368 / (202) 872-4200
(202) 872-4318 (FAX) 
EDUCAUSE/Internet2 Security Task Force

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
Sent: Tuesday, September 30, 2008 3:45 PM
Subject: Re: [SECURITY] Policies for Equipment Disposal - computers and
other devices with memory

On Tue, 30 Sep 2008 11:57:26 CDT, Sallie F Wright said:
I am on the hunt for a sample policy that addresses disposal of 
equipment that have memory/hard drives specifically related to 
regulatory compliance. We have the computer side but I am wondering 
what others are doing around copiers, pda's, cellphones, etc.

Is the issue "regulatory compliance", which is mostly a proper-paperwork
issue, or are you trying to address the actual data-leakage problem?

(A serious question, that - I could see how your internal risk
assessment says that the amount of data stored on a not-too-smart
cellphone is an acceptable risk, but a beancounter rule still says you
need to wipe it...)

  By Date           By Thread  

Current thread:
  • Re: Policies for Equipment Disposal - computers and other devices with memory Rodney Petersen (Oct 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]