HomeMy Public PortalAboutADM-453_Data Destruction and Sanitization Policy_Effective 09-01-21
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
DATA DESTRUCTION AND SANITAZATION POLICY
Policy Number Effective Date Last Revision Page No.
ADM-453 9/1/21 Page 1 of 4
Approved by:
Section 1.0: Purpose
The purpose of this policy is to outline the proper disposal/sanitization/destruction
of electronic media for the City of Lebanon. This policy is in place to protect
sensitive and classified information, employees, and the City of Lebanon.
Inappropriate disposal of electronic media may put employees and the City of
Lebanon at risk.
Section 2.0: Scope
This policy applies to all Cyber Services employees and contractors with access to
systems, data, sensitive and classified data, and media. This policy applies to all
equipment that processes, stores, and/or transmits data that is owned or leased by
the City of Lebanon.
Section 3.0: Definitions
FORMATTED - is the completed process of preparing a data storage device such as
a hard disk drive, solid-state drive, or USB flash drive for initial use.
DECOMMISSIONED - is the removal of a data storage device from the City’s active
inventory.
SANITIAZED - is the process of eliminating data or information from a storage
device such as disk drive, solid-state drive, or USB flash drive.
SECTOR - is a subdivision of a track on a magnetic disk or optical disc. Each sector
stores a fixed amount of user-accessible data.
BINARY DATA - is represented or displayed in the numeral system. It is
numerically represented by a combination of zeros and ones.
PORTABLE MEDIA - are flash drives and other moveable data storage devices.
COMPUTER NETWORK RESOURCE – is a device in which data can be transmitted,
stored and accessed.
Section 4.0: Policy Detail
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
DATA DESTRUCTION AND SANITAZATION POLICY
Policy Number Effective Date Last Revision Page No.
ADM-453 9/1/21 Page 2 of 4
Approved by:
The transfer or disposition of data processing equipment, such as computers
and related media, shall be controlled and managed by the Cyber Services
department. Data remains present on any type of storage device (whether
fixed or removable) even after a disc is “formatted”, power is removed, and
the device is decommissioned. Simply deleting the data and formatting the
disk does not prevent individuals from accessing the metadata and restoring
the data. Sanitization of the media removes information in such a way that
data recovery using common techniques or analysis is greatly reduced or
prevented.
Section 5.0: Procedures
All computer desktops, laptops, tablets, smartphones, hard drives, and
portable media must be processed through Cyber Services department for
proper disposal. The Cyber Services Director shall ensure procedures
exist and are followed that:
Address the evaluation and final disposition of sensitive
information, hardware, or electronic media regardless of media
format or type.
Specify a process for making sensitive information unusable and
inaccessible. These procedures should specify the use of
technology (e.g., software, special hardware, etc.) or physical
destruction mechanisms to ensure sensitive information is
unusable, inaccessible, and unable to be reconstructed.
Only authorized personnel are authorized to dispose of sensitive
information or equipment. Approved disposal methods include:
o Electronic Media (physical disks, CDs, flash drives, printer
and copier hard drives, etc.) shall be disposed of by one of
the methods:
Overwriting Magnetic Media - Overwriting uses a
program to write binary data sector by sector onto the
media that requires sanitization
Physical Destruction – Implies complete destruction of
media by means of crushing or disassembling the
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
DATA DESTRUCTION AND SANITAZATION POLICY
Policy Number Effective Date Last Revision Page No.
ADM-453 9/1/21 Page 3 of 4
Approved by:
asset and ensuring no data can be extracted or
recreated
Cyber Services documentation, hardware, and storage that have been
used to process, store, or transmit confidential information or personal
identifying information (PII) shall not be released from the Cyber Services
department until it has been sanitized and all stored information has been
cleared using one of the above methods. In the event a physical
destruction method is deemed necessary, the Cyber Services Director
may contract the destruction to a 3rd party. The 3rd party must be NAID
AAA certified, and a certificate of destruction must be issued.
5.1 Audit Controls and Management
On-demand documented procedures and evidence of practice should be in
place for this operational policy as part of the City. Examples of control
documentation includes:
On-demand documented procedures related to disposal of hardware and
software.
On-demand documentation of equipment identified for disposal.
Prior to sanitization of electronic data, an acknowledgement form will be
signed certifying that to the best of the employee’s knowledge, any electronic
data governed by record retention laws and city policies, are located on
another City of Lebanon computer network resource. The only electronic
data that may be left on electronic media are of a personal nature and
excluded from record retention requirements.
Section 6.0: References (Charter/Code/State Statues)
1. NIST 800-53
2. City administrative policy ADM-114 Records Management
3. NH RSA 33-A:3-a Disposition and Retention Schedule
4. NH RSA 33-A:5-a Electronic Records
Section 7.0: Policy & Procedure Revision History
Section Revisions Date
City of Lebanon
New Hampshire
ADMINISTRATIVE POLICIES & PROCEDURES
CYBER SECURITY
DATA DESTRUCTION AND SANITAZATION POLICY
Policy Number Effective Date Last Revision Page No.
ADM-453 9/1/21 Page 4 of 4
Approved by:
Original Adoption 9/1/21
Amendment
Amendment
Amendment