The URL can be used to link to this page

Home My Public Portal AboutADM-453_Data Destruction and Sanitization Policy_Effective 09-01-21 City of Lebanon New Hampshire ADMINISTRATIVE POLICIES & PROCEDURES CYBER SECURITY DATA DESTRUCTION AND SANITAZATION POLICY Policy Number Effective Date Last Revision Page No. ADM-453 9/1/21 Page 1 of 4 Approved by: Section 1.0: Purpose The purpose of this policy is to outline the proper disposal/sanitization/destruction of electronic media for the City of Lebanon. This policy is in place to protect sensitive and classified information, employees, and the City of Lebanon. Inappropriate disposal of electronic media may put employees and the City of Lebanon at risk. Section 2.0: Scope This policy applies to all Cyber Services employees and contractors with access to systems, data, sensitive and classified data, and media. This policy applies to all equipment that processes, stores, and/or transmits data that is owned or leased by the City of Lebanon. Section 3.0: Definitions FORMATTED - is the completed process of preparing a data storage device such as a hard disk drive, solid-state drive, or USB flash drive for initial use. DECOMMISSIONED - is the removal of a data storage device from the City’s active inventory. SANITIAZED - is the process of eliminating data or information from a storage device such as disk drive, solid-state drive, or USB flash drive. SECTOR - is a subdivision of a track on a magnetic disk or optical disc. Each sector stores a fixed amount of user-accessible data. BINARY DATA - is represented or displayed in the numeral system. It is numerically represented by a combination of zeros and ones. PORTABLE MEDIA - are flash drives and other moveable data storage devices. COMPUTER NETWORK RESOURCE – is a device in which data can be transmitted, stored and accessed. Section 4.0: Policy Detail City of Lebanon New Hampshire ADMINISTRATIVE POLICIES & PROCEDURES CYBER SECURITY DATA DESTRUCTION AND SANITAZATION POLICY Policy Number Effective Date Last Revision Page No. ADM-453 9/1/21 Page 2 of 4 Approved by: The transfer or disposition of data processing equipment, such as computers and related media, shall be controlled and managed by the Cyber Services department. Data remains present on any type of storage device (whether fixed or removable) even after a disc is “formatted”, power is removed, and the device is decommissioned. Simply deleting the data and formatting the disk does not prevent individuals from accessing the metadata and restoring the data. Sanitization of the media removes information in such a way that data recovery using common techniques or analysis is greatly reduced or prevented. Section 5.0: Procedures All computer desktops, laptops, tablets, smartphones, hard drives, and portable media must be processed through Cyber Services department for proper disposal. The Cyber Services Director shall ensure procedures exist and are followed that:  Address the evaluation and final disposition of sensitive information, hardware, or electronic media regardless of media format or type.  Specify a process for making sensitive information unusable and inaccessible. These procedures should specify the use of technology (e.g., software, special hardware, etc.) or physical destruction mechanisms to ensure sensitive information is unusable, inaccessible, and unable to be reconstructed.  Only authorized personnel are authorized to dispose of sensitive information or equipment. Approved disposal methods include: o Electronic Media (physical disks, CDs, flash drives, printer and copier hard drives, etc.) shall be disposed of by one of the methods:  Overwriting Magnetic Media - Overwriting uses a program to write binary data sector by sector onto the media that requires sanitization  Physical Destruction – Implies complete destruction of media by means of crushing or disassembling the City of Lebanon New Hampshire ADMINISTRATIVE POLICIES & PROCEDURES CYBER SECURITY DATA DESTRUCTION AND SANITAZATION POLICY Policy Number Effective Date Last Revision Page No. ADM-453 9/1/21 Page 3 of 4 Approved by: asset and ensuring no data can be extracted or recreated Cyber Services documentation, hardware, and storage that have been used to process, store, or transmit confidential information or personal identifying information (PII) shall not be released from the Cyber Services department until it has been sanitized and all stored information has been cleared using one of the above methods. In the event a physical destruction method is deemed necessary, the Cyber Services Director may contract the destruction to a 3rd party. The 3rd party must be NAID AAA certified, and a certificate of destruction must be issued. 5.1 Audit Controls and Management On-demand documented procedures and evidence of practice should be in place for this operational policy as part of the City. Examples of control documentation includes:  On-demand documented procedures related to disposal of hardware and software.  On-demand documentation of equipment identified for disposal. Prior to sanitization of electronic data, an acknowledgement form will be signed certifying that to the best of the employee’s knowledge, any electronic data governed by record retention laws and city policies, are located on another City of Lebanon computer network resource. The only electronic data that may be left on electronic media are of a personal nature and excluded from record retention requirements. Section 6.0: References (Charter/Code/State Statues) 1. NIST 800-53 2. City administrative policy ADM-114 Records Management 3. NH RSA 33-A:3-a Disposition and Retention Schedule 4. NH RSA 33-A:5-a Electronic Records Section 7.0: Policy & Procedure Revision History Section Revisions Date City of Lebanon New Hampshire ADMINISTRATIVE POLICIES & PROCEDURES CYBER SECURITY DATA DESTRUCTION AND SANITAZATION POLICY Policy Number Effective Date Last Revision Page No. ADM-453 9/1/21 Page 4 of 4 Approved by: Original Adoption 9/1/21 Amendment Amendment Amendment