CoE Guidance for Disposing of devices.
Related SPG’s and Guidance
- Electronic Data Disposal and Media Sanitization standard
- Information Security Policy SPG 601.27
- Safe Computing: Securely Dispose of U-M Data and Devices
- Acquisition, Use and Disposition of Property (SPG 520.01)
Links to U-M websites for info and forms:
- ITS: Getting KillDisk
- Declaration of Surplus spreadsheet
- Certificate of Sanitiziation / Physical Destruction form
- Free CAEN Disk Destruction Service form and description
- For Fee Sanitization Service offered by Property Disposition
- For Fee Sanitization Service offered by U-M Computer Showcase Tech Repair
- For Examples of Property Disposition Forms (after clicking link look for “Media_Sanitization_Disposal_Forms_Examples”)
The Electronic Data Disposal and Media Sanitization standard supports and supplements the Information Security Policy SPG 601.27. Departments are required to remove (or arrange for the removal of) all software and/or files from all computers and storage media devices prior to being sent to Property Disposition. Property Disposition is required to monitor compliance of this policy. This means that Departments have to either sanitize or destroy each storage device being disposed of, and also include the required documentation.
Departments have several options for sanitization/destruction of storage media devices:
- Perform the work themselves using Safe Computing: Securely Dispose of U-M Data and Devices. Sanitizing the storage media device using KillDisk will probably be the easiest method. Note that the KillDisk will automatically generate certificate of sanitization with the disk serial number printed on it.
- Use the free destruction service that CAEN offers. When the storage device(s) are eventually destroyed, CAEN will obtain proof of destruction from the third party vendor and provide that back to the Department.
- Pay a fee to have it done by Property Disposition or U-M Computer Showcase Tech Repair.
Below are the different situations that can arise when disposing of a computer or a storage device:
Equipment Being Disposed | Method Used by Department for Information Removal | Forms Needed For Property Disposition |
Computer with Disk(s) | Sanitization | 1. Declaration of Surplus spreadsheet – for computer (note that the disk is considered part of the computer) 2. Certificate of Sanitization / Physical Destruction – signed by Department; one for each disk OR Killdisk Certificate of Sanitization – generated when KillDisk is run; include one for each disk |
Computer with Disk(s) | Information Not Removed From Disk(s) | 1. Declaration of Surplus spreadsheet – for computer (note that the disk is considered part of the computer) 2. Certificate of Sanitization / Physical Destruction – signed by Department indicating no information was removed*; include one for each disk |
Computer without Disk(s) | N/A – Disk Not Part of Disposition | 1. Declaration of Surplus spreadsheet – for computer |
Disk(s) – separated from original computer or standalone | Sanitization | 1. Declaration of Surplus spreadsheet – for disk(s) 2. Certificate of Sanitization / Physical Destruction – signed by Department; include one for each disk OR Killdisk Certificate of Sanitization – generated when KillDisk is run; one for each disk |
Disk(s) – separated from original computer or standalone | Physical Destruction | 1. Declaration of Surplus spreadsheet – for disk(s) 2. Certificate of Sanitization / Physical Destruction – signed by Department; include one for each disk 3. Proof of Destruction ** |
Disk(s) – separated from original computer or standalone | Information Not Removed From Disk(s) | 1. Declaration of Surplus spreadsheet – for disk(s) 2. Certificate of Sanitization / Physical Destruction – signed by Department indicating no information was removed*; include one for each disk |
** = Since disk is destroyed, it cannot accompany the forms sent to Property Disposition