L&I, Office of Information Technology Policy PLT-002

(PDF)

1. Purpose

This policy establishes standards by which all of the Department of Labor & Industry’s (L&I’s) Information Technology (IT) electronic assets will be disposed of. This policy ensures the Office of Information Technology’s (OIT’s) involvement in the disposal process of all IT Equipment to ensure Commonwealth Information Technology Policies (ITPs), security requirements, and Enterprise Standards are followed. This policy also fulfills the requirements of Internal Revenue Service (IRS) Publication 1075 safeguards and requirements defined by the Social Security Administration (SSA). This policy documents the implementation of the National Institute of Standards and Technology (NIST) Security Controls: CM-3; MP-3, 4, 5, & 6; PE-3, 5, 16, 18, & 19; and SA-12 SP 800-53 R4.

2. Background

This policy is published under the general authority of the ITPs by the Office of Administration / Office of Information Technology (OA/OIT), in that it identifies key roles and responsibilities in support of ITPs. OA/OIT provides direction regarding the disposal of IT Equipment by L&I and other Commonwealth agencies under the Governor’s jurisdiction, via ITP-SEC025 - Proper Use and Disclosure of Personally Identifiable Information. Adhering to these policies will reduce the risk of sensitive data being compromised.

L&I information is a valuable asset and must be protected from unauthorized access, disclosure, modification, or destruction. Since sensitive data is stored on IT Equipment, improper disposal of IT Equipment represents one of the highest data security risks and expenditures that can occur within L&I.

3. Scope

This policy applies to all employees, contractors, temporary personnel, members of boards, commissions and councils, agents, and vendors in the service of L&I (hereinafter referred to collectively as “L&I Users”).

4. Policy

L&I Users shall initiate disposal of IT Equipment with a Change Request (CR) in the IT Service Management (ITSM) system.

L&I OIT shall coordinate the disposal of all IT equipment. Only OIT staff are authorized to dispose of IT Equipment.

OIT shall categorize IT Equipment received for disposal as IT Surplus or e-waste.

The L&I Bureau of Administrative Services (BAS) is responsible for the disposal of all non-IT Equipment. As needed, OIT will coordinate site pick-ups with BAS Equipment Control or a contracted resource.

Only OIT staff or BAS staff under the direction of OIT staff are authorized to transfer/transport IT Equipment for surplus or equipment moves/relocations. The transportation of all IT Equipment able to store data requires a “Chain of Custody Tracking” form be signed and dated by all parties verifying all items listed on the forms. The Chain of Custody is the only authorized form used to ensure IT Equipment is properly categorized, sorted, prepared, stored, and accounted for during IT Equipment transfers.

5. Responsibilities

1. L&I User responsibilities:
   
   
   • Comply with all L&I policies, management directives, and laws; and
     
     
   • Report any violations of policies promptly to the L&I Chief Information Security Officer at LI, OIT-DLICISO.
     
     
2. L&I management responsibilities:
   
   
   • Comply with all L&I policies and ensure L&I users comply with the policies; and
     
     
   • Adhere to this policy and any published procedures regarding the transfer or disposal of IT Equipment, E-waste and IT Surplus.

6. References

7. Version Control