Begin Main Content Area

 Content Editor

L&I, Office of Information Technology Procedure

(PDF)

Name: Data Sanitization of Workstations and Media Procedures
Effective Date: September 2017
Category: Security
Version: 1.2

1. Scope:

This procedure applies to all employees within all bureaus, divisions, boards, commissions, and councils within L&I. This includes any contracted employees in the service of L&I. (Hereinafter referred to collectively as “L&I Users”).

2. Procedure:

The procedure is implemented by Infrastructure and Computing Services (ICS). This procedure for IT equipment surplus is defined by Workstation Operations & Technical Services (WOTS) and Compute Services Operations (CSO) Office of Information Technology (OIT) divisions, in conjunction with the Department of General Services (DGS).

L&I’s Information Technology Service Management (ITSM) tool is the document of record for all configuration items (CI) concerning IT equipment.

  1. Procedure to Reassign L&I-owned or Leased Workstations to Another User


  2. Step Responsibility Action
    1. Program area manager or supervisor Ensures that data and files are moved to a shared drive or backed-up prior to an L&I User’s last day of work.
    2. Program area manager or supervisor Ensures a copy of the application software used to create archived data is maintained.
    3. Program area manager or supervisor Instructs ITSM submitter to prepare an ITSM request.
    4. ITSM submitter Prepares an ITSM request choosing the following combination of Category, Type, and Item:
    • Hardware Changes/Change/Workstation.
    5. WOTS Verifies that the program area saved all information.
    6. WOTS Reimages workstation and configures it for the new user.
    7. WOTS Updates ITSM request and ensures the CI is updated to reflect the new L&I User(s).


  3. Procedure to Transfer Workstations Out to Another Program Area or State Agency


  4. Step Responsibility Action
    1. Program area manager or supervisor Ensures that data and files are moved to a shared drive or backed-up prior to an L&I User’s last day of work.
    2. Program area manager or supervisor Ensures a copy of the application software used to create archived data is maintained.
    3. Program area manager or supervisor Instructs ITSM submitter to prepare an ITSM request.
    4. ITSM submitter Verifies that the program area saved all information.
    5. ITSM submitter Sanitizes the hard drive using DOD software provided by the Office of Administration (OA).
    6. WOTS Places workstation in a holding area for transfer.
    7. ITSM submitter Prepares an ITSM Request choosing the following Category, Type, and Item:
    • Hardware Changes/Install/Workstation
    • Document the following in the description of the request:
      • The program area the equipment is to be transferred from.
      • The old and the new location (office address or location code) of the device.


  5. Procedure to Transfer a Workstations in from Another Program Area or State Agency


  6. Step Responsibility Action
    1. ITSM submitter Once ITSM request has been received and equipment arrives, the ITSM submitter connects device to the network.
    2. WOTS Reimages workstation and configures it for the new user.
    3. WOTS Contacts the Bureau of Administrative Services and provides them with a list of inter-agency transferred items detailing where it came from and on what date.
    4. Program Area Manager or Supervisor Arranges transfer to another state agency with DGS, or program area.
    5. BAS Completes report for DGS.


  7. Procedure to Sanitize Data from Hard Drives & Media


  8. Step Responsibility Action
    1. ITSM submitter Prepares an ITSM request for Asset Management/E-Media/Surplus.
    • If device is listed as an asset on remedy (some PDA’s), associates asset serial number with change.
    • If device is not a remedy asset, (example: floppy disks, CDs), notes that the miscellaneous media is to be discarded in the description of the request.
    2. WOTS Arranges for pickup of the miscellaneous media & return to the WOTS Equipment Group for disposal via DGS.
    3. WOTS Takes actions based on media type:
    • ATA Solid State Drives (SSDs) (including PATA, SATA, eSATA, and SCSI)
      1. Overwrite the full drive with at least two write passes to include a pattern in the first pass and its complement in the second pass. Verify that the data was overwritten.
      2. Physically shred the drive such that the resulting particles have a maximum edge length of two mm and a maximum surface area of four mm2.

    • USB Removable Media and Memory Cards
      1. Overwrite the full drive/card with at least two write passes to include a pattern in the first pass and its complement in the second pass. Verify that the data was overwritten.
      2. Physically shred the drive such that the resulting particles have a maximum edge length of two mm and a maximum surface area of four mm2.

    • Magnetic disks (including floppy disks, ATA and SCSI hard disk drives)
      1. Overwrite the full drive with at least a single write pass using a fixed data value (such as all zeros). Multiple write passes and more complex values may optionally be used. Verify that the data was overwritten.
      2. Degauss with a National Security Agency (NSA) approved degausser. Note that degaussing magnetic disks renders them permanently unusable.
      3. Physically shred the disk platters such that the resulting particles have a maximum edge length of 20 mm and a maximum surface area of 400 mm2.

    • Optical Media (CD, DVD, Blu-ray Disc)
      1. Physically shred the optical media such that the resulting particles have a maximum edge length of 0.5 mm and a maximum surface area of 0.25 mm2
    4. WOTS Records the information needed on the Media Disposal log and places it in the Secure Media Disposal Box for DGS pickup.

3. References

L&I Policy Definitions Document

APP-001 - Release of Protected Data

SEC-000 - Security Planning Policy

SEC-015 - Data Sanitization

ITP-SEC015 - Data Cleansing Policy

ITP-SEC019 - Policy and Procedures for Protecting Commonwealth Electronic Data

NIST SP 800-88 - Guidelines for Media Sanitization

4. Version Control

Version Date Purpose
1.0 01/2006 Base document
1.1 06/2016 Merged documents, formatted, revised content
1.2 08/2017 Combined procedures: reassignment, transfer & hard drive/Media