L&I, Office of Information Technology Procedure
(PDF)
Name: |
Data Sanitization of Workstations and Media Procedures |
Effective Date: |
September 2017 |
Category: |
Security |
Version: |
1.2 |
1. Scope:
This procedure applies to all employees within all bureaus, divisions, boards, commissions, and councils within L&I. This includes any contracted employees in the service of L&I. (Hereinafter referred to collectively as “L&I Users”).
2. Procedure:
The procedure is implemented by Infrastructure and Computing Services (ICS). This procedure for IT equipment surplus is defined by Workstation Operations & Technical Services (WOTS) and Compute Services Operations (CSO) Office of Information Technology (OIT) divisions, in conjunction with the Department of General Services (DGS).
L&I’s Information Technology Service Management (ITSM) tool is the document of record for all configuration items (CI) concerning IT equipment.
- Procedure to Reassign L&I-owned or Leased Workstations to Another User
Step |
Responsibility |
Action |
1. |
Program area manager or supervisor |
Ensures that data and files are moved to a shared drive or backed-up prior to an L&I User’s last day of work. |
2. |
Program area manager or supervisor |
Ensures a copy of the application software used to create archived data is maintained. |
3. |
Program area manager or supervisor |
Instructs ITSM submitter to prepare an ITSM request. |
4. |
ITSM submitter |
Prepares an ITSM request choosing the following combination of Category, Type, and Item:
-
Hardware Changes/Change/Workstation.
|
5. |
WOTS |
Verifies that the program area saved all information. |
6. |
WOTS |
Reimages workstation and configures it for the new user. |
7. |
WOTS |
Updates ITSM request and ensures the CI is updated to reflect the new L&I User(s). |
- Procedure to Transfer Workstations Out to Another Program Area or State Agency
Step |
Responsibility |
Action |
1. |
Program area manager or supervisor |
Ensures that data and files are moved to a shared drive or backed-up prior to an L&I User’s last day of work. |
2. |
Program area manager or supervisor |
Ensures a copy of the application software used to create archived data is maintained. |
3. |
Program area manager or supervisor |
Instructs ITSM submitter to prepare an ITSM request. |
4. |
ITSM submitter |
Verifies that the program area saved all information. |
5. |
ITSM submitter |
Sanitizes the hard drive using DOD software provided by the Office of Administration (OA). |
6. |
WOTS |
Places workstation in a holding area for transfer. |
7. |
ITSM submitter |
Prepares an ITSM Request choosing the following Category, Type, and Item:
-
Hardware Changes/Install/Workstation
-
Document the following in the description of the request:
-
The program area the equipment is to be transferred from.
-
The old and the new location (office address or location code) of the device.
|
- Procedure to Transfer a Workstations in from Another Program Area or State Agency
Step |
Responsibility |
Action |
1. |
ITSM submitter |
Once ITSM request has been received and equipment arrives, the ITSM submitter connects device to the network. |
2. |
WOTS |
Reimages workstation and configures it for the new user. |
3. |
WOTS |
Contacts the Bureau of Administrative Services and provides them with a list of inter-agency transferred items detailing where it came from and on what date. |
4. |
Program Area Manager or Supervisor |
Arranges transfer to another state agency with DGS, or program area. |
5. |
BAS |
Completes report for DGS. |
- Procedure to Sanitize Data from Hard Drives & Media
Step |
Responsibility |
Action |
1. |
ITSM submitter |
Prepares an ITSM request for Asset Management/E-Media/Surplus.
-
If device is listed as an asset on remedy (some PDA’s), associates asset serial number with change.
-
If device is not a remedy asset, (example: floppy disks, CDs), notes that the miscellaneous media is to be discarded in the description of the request.
|
2. |
WOTS |
Arranges for pickup of the miscellaneous media & return to the WOTS Equipment Group for disposal via DGS. |
3. |
WOTS |
Takes actions based on media type:
-
ATA Solid State Drives (SSDs) (including PATA, SATA, eSATA, and SCSI)
-
Overwrite the full drive with at least two write passes to include a pattern in the first pass and its complement in the second pass. Verify that the data was overwritten.
-
Physically shred the drive such that the resulting particles have a maximum edge length of two mm and a maximum surface area of four mm2.
-
USB Removable Media and Memory Cards
-
Overwrite the full drive/card with at least two write passes to include a pattern in the first pass and its complement in the second pass. Verify that the data was overwritten.
-
Physically shred the drive such that the resulting particles have a maximum edge length of two mm and a maximum surface area of four mm2.
-
Magnetic disks (including floppy disks, ATA and SCSI hard disk drives)
-
Overwrite the full drive with at least a single write pass using a fixed data value (such as all zeros). Multiple write passes and more complex values may optionally be used. Verify that the data was overwritten.
-
Degauss with a National Security Agency (NSA) approved degausser. Note that degaussing magnetic disks renders them permanently unusable.
-
Physically shred the disk platters such that the resulting particles have a maximum edge length of 20 mm and a maximum surface area of 400 mm2.
-
Optical Media (CD, DVD, Blu-ray Disc)
-
Physically shred the optical media such that the resulting particles have a maximum edge length of 0.5 mm and a maximum surface area of 0.25 mm2
|
4. |
WOTS |
Records the information needed on the Media Disposal log and places it in the Secure Media Disposal Box for DGS pickup. |
3. References
L&I Policy Definitions Document
APP-001 - Release of Protected Data
SEC-000 - Security Planning Policy
SEC-015 - Data Sanitization
ITP-SEC015 - Data Cleansing Policy
ITP-SEC019 - Policy and Procedures for Protecting Commonwealth Electronic Data
NIST SP 800-88 - Guidelines for Media Sanitization
4. Version Control
Version |
Date |
Purpose |
1.0 |
01/2006 |
Base document |
1.1 |
06/2016 |
Merged documents, formatted, revised content |
1.2 |
08/2017 |
Combined procedures: reassignment, transfer & hard drive/Media |