INFORMATION TECHNOLOGY
POLICY
Supersedes Policy No.:
Subject Title:
IT0022 Technology Equipment Disposal
System Policy
Policy Number:
IT00022
Approved Date:
Effective Date:
Review Policy
10-19-2016
10-19-2016
Team Members:
Yearly
Owner:
Brian Reagan
Scope:
Department(s): System Information Technology, System,
Campuses
IT Managers, Scott Wood, Phil Braidwood, Kim Shaheen, Ron
Belill
Approval Agency:
IT Operations
1.0 PURPOSE
The purpose of this policy is to define how Baker College technology items, either
owned, leased, or operated are disposed of at EOL or practical use.
2.0 SCOPE DETAIL
This policy is a Baker College System policy and provides guidelines for the proper
disposal of all technology equipment (Equipment), included but not limited to, all
personal computer desktops, laptops, tablets, cell phones, other personal devices, all
network devices, all servers, all printers and Multi-function devices, and all devices that
store and retain data.
The policy covers all locations, including Baker campuses, remote labs, remote sites, data
centers, and unowned locations where Baker College equipment exist.
All covered Equipment disposed of under this policy must adhere to the IT0025 IT Media
Sanitation Policy (IT0025) where applicable.
This policy does not include any hosted or cloud based systems. These systems must be
covered by a separate contractual agreement with the hosting vendor that meets or
exceeds NIST 800-88 and IT0025 where applicable.
3.0 DEFINITIONS
Computer Equipment
Computer Equipment, also referred to as technology equipment,
addressed in this policy is defined as any server, data storage
devices, desktop, laptop, tablets, personal computing devices, cell
phones, peripheral devices, such as and not limited to printers,
scanners, webcams, TV’s, monitors, UPS, etc. It includes all
equipment, whether or not operable or a complete unit, which was
purchased by the College, acquired through a donation, grant, gift,
contract, or part of any other equipment.
Disposal
The act of discarding computers or equipment at EOL, practical
use or lease end.
End-of-Life (EOL)
Equipment has reached EOL when identified by IT Operations to
have either been discontinued or no longer supported by publisher
or manufacturer, retired by the College, reached a state of
uselessness, end of lease, or early termination.
Media sanitization
The process of destroying or removing data from devices or
storage media such that there is reasonable assurance that the
information or data may not be retrieved and reconstructed.
Wiping and shredding are examples of media sanitization.
Network Equipment
Network Equipment addressed in this policy is defined as any
managed switch, router, access point, and security equipment,
such as and not limited to, cameras, key-card readers, scanners,
Smart TV’s, UPS, etc., whether or not operable or a complete unit,
which was purchased by the College, donated to the College,
acquired through a donation, grant, gift, contract, or part of any
other equipment.
NIST 800-88
The Guidelines for Media Sanitization document produced by the
National Institute of Standards and Technology (NIST) which
provides recommendations and guidelines for sanitizing media.
Owner
The Owner is the department manager who is responsible for
budgeting, purchasing, and managing equipment under their
control, use, or supervision. As part of this policy, no person or
persons outside of IT can be considered an Owner of any
Equipment owned by Baker College.
Wiping
The process of clearing or destroying the magnetic image from a
hard drive using a third party software product such that there is
reasonable assurance that the data may not be retrieved and
reconstructed.
4.0 POLICY
4.1 It is of extreme importance that any user or College data and licensed software be
removed prior to disposal. It is the responsibility of the owner that manages the
equipment to ensure policy IT0025 is adhered to and not delegated to any person outside
the College or organization without adequate contractual obligations being imposed.
Page 2
4.2 It is the sole responsibility of the Baker College Information Technology (IT) department
to dispose of computer equipment and networking equipment using this list of prioritized
methods as stated below or other means suitable to the College as outlined by this policy.
4.2.1
Cannibalizing for spare parts.
4.2.2
Donations
4.2.3
Barter for credit for future credits with established vendors.
4.2.4
Recycled through an approved recycling facility or organization.
4.3 The college does not allow the sale or donation of any equipment to employees, students,
or to the general public.
4.4 The college will not refurbish, rebuild, or update equipment to be donated.
4.5 All other departments and labs should turn over all technology equipment to IT for
disposal.
4.6 When it is time to dispose of Equipment, it is the owner’s responsibility to dispose of
Equipment in an environmentally friendly manner.
4.6.1
4.7
No Equipment should be disposed of in garbage dumpsters.
IT Operations will make final determination and identify what Equipment has reached its
EOL.
4.7.1
Equipment owners will submit recommendations for approval.
4.8 Owner must adhere to any state and federal laws and guidelines. All wiped equipment
must be labeled with the approved IT0022 Red WIPED Label and identified as wiped and
must include the date and tech that performed the sanitization process.
4.9 All wiped Equipment and devices must be stored in a secure location separately from
production equipment until disposed of or sent to a common storage area for processing.
4.10 All computer or network equipment disposed of must be recorded on an IT0022 Asset
Disposition Document recording the model and serial number. The disposition document
shows that ownership is transferred negating College liability.
4.11 Passwords, BIOS configurations, personal data, and settings must be removed. All
personal devices must be reset to factory default settings if there is a built in feature that
provides this functionality, i.e. tablets, cell phones, etc.
4.12 Classroom and Labs - Desktop/Laptops/Tablets
4.12.1 Classroom and lab computers are considered Low-Risk for sanitation processes.
Page 3
4.12.2 Classroom & Lab Computer (Desktop/Laptops/Tablets) drives must be wiped
clean by deleting partitions before recycling or being donated.
4.12.3 All configurations must be removed from internal memory/storage and sanitized
before equipment is unhooked and disassembled from its production state.
4.13 Admin Desktop/Laptops/Tablets
4.13.1 Admin computers are considered High-Risk for sanitation processes.
4.13.2 Admin computer hard drives must be removed and destroyed or wiped using an
approved third party product as defined in IT0025.
4.14 Networking Equipment (Managed Switches, Firewalls, Routers, Gateways, etc.)
4.14.1 All configurations must be removed from internal memory/storage. Any
inoperable device unable to be wiped must be shredded unless being returned
under a warranty exchange. In this case, the vendor must validate that proper
processes are in place to safeguard sensitive information that are acceptable to the
equipment owner to ensure IT0025 considerations and no liability exist for the
College.
4.14.2 All networking equipment must be returned to Networking for wiping, reuse,
storage, or disposal.
4.15 Servers/SAN’s (Includes all storage devices attached or stand-alone)
4.15.1 All storage devices are considered High-Risk for sanitation processes.
4.15.2 All configurations must be removed from internal memory/storage and sanitized
before equipment is unhooked and disassembled from its production state where
feasible or accommodations permit.
Any sanitation process must be completed prior to any device leaving a Baker
College facility. Contact Enterprise Infrastructure (E.I.) if this is not possible.
E.I. can assist with the wiping process remotely if requested.
4.15.3 All devices should follow sanitizing internal memory and drive storage methods as
defined in IT0025.
4.15.4 When media sanitation is provided by any third party vendor, the vendor must
validate that their process meets or exceeds the IT0025 or the NIST 800-88
guidelines to ensure that no liability exists for the College.
The vendor must provide a certificate of authenticity as proof that the sanitation
process was completed for each device or drive included in the device. This
certificate must be saved as a permanent record as proof and sent to the
appropriate department.
4.15.5 All Servers/SAN’s must be returned to E.I. for final processing and disposal.
Page 4
4.16 Mini/Midrange (iSeries, etc.)
4.16.1 All configurations must be removed from internal memory/storage and sanitized
before equipment is unhooked and disassembled from its production state.
4.16.2 All leased devices must be covered under a contractual agreement that includes
sanitizing internal memory and drive storage that meets or exceeds the NIST 80088 guidelines for sanitizing these devices. A copy of this agreement should be on
file.
4.16.3 All devices must be completely sanitized before they are removed from any
College property unless specified in contracts and agreed upon by the CIO. IT will
have any third party sign a statement that the sanitation process has been
completed if this option is exercised.
4.16.4 All devices must be set to factory defaults.
4.17 Printers/MFP or other duplication devices.
4.17.1 MFP’s or other devices the retain copies of printed, copied, or faxed images either
in memory or on equipped hard drives must be sanitized following the process
outlined in IT0025 before the equipment leaves the College property. This includes
equipment moved for service, lease returns, or recycling.
4.18 Mobil Devices (Tablets, Cell Phones)
4.18.1 Devices cannot be donated or otherwise recycled outside of Baker College.
4.18.2 Devices that cannot be sanitized because they are in an inoperable state, must be
shredded as defined in IT0025.
4.18.3 All EOL devices must be disposed of following IT0025.
5.0 RESPONSIBILITIES
5.1 The CIO is charged with disseminating information contained within this
Technology/Equipment Disposal Policy. A component of this policy is information
disposition and media sanitization. The CIO, as the information custodian, is responsible
for ensuring that the Baker College Enterprise follow the guidelines of this document.
5.2 The Director of IT Operations is charged with disseminating information contained within
t h i s Technology/Equipment Disposal Policy. A component of this policy is information
disposition and media sanitization.
5.3 The Director of IT Operations is charged with budgeting funds for the disposal and recycling
of Equipment covered by this policy.
Page 5
5.4 The information owner and CIO should ensure that maintenance or contractual agreements are
in place and are sufficient in protecting the confidentiality of the system media and
information commensurate with the impact of disclosure of such information on the
organization.
5.5 The information owner should ensure that appropriate supervision is provided for onsite
maintenance providers when necessary. The information owner is also responsible for ensuring that
they fully understand the sensitivity of the information under their control and that the users of the
information are aware of its confidentiality and the basic requirements for media sanitization and
adherences to this policy.
5.6 All Department Managers, Supervisors, Directors, or other department heads will either call the
local IT manager or complete a Remedyforce (RF) trouble ticket for IT to pick up any equipment
that needs to be disposed of.
5.7 All IT managers, equipment owners, or others disposing of computer equipment must remove
any existing asset tags and product license if recycling, and record in a hardware disposal
document maintained at each campus for future reference. Any asset inventory system, database,
or list must be updated within ten days of disposal.
5.8 All IT managers and equipment owners are responsible for recording and maintaining the
IT0022 Asset Disposition Document for their respective campus or departments. It must
be a permanent record and retained for an indefinite amount of time.
5.9 Users have the responsibility for knowing and understanding the confidentiality of the
information contained on Equipment they are using to accomplish their assigned work
and ensure proper handling of information.
6.0 POLICY PROCEDURES
NONE
7.0 FORMS/DOCUMENTS
Document A: IT0025 IT Media Sanitation Policy
Document B: NIST 800-88 Guidelines for Media Sanitization
Document C: IT0022 Asset Disposition Document
Document D: IT0022 Red Wiped Labels
Page 6