Effective Date: October, 2013
A large volume of Data is stored on Systems (as each such term is defined in the Columbia University Information Security Charter (the “Charter”) [http://policylibrary.columbia.edu/information-security-charter]) throughout Columbia University. A substantial amount of this Data consists of Sensitive Data or Confidential Data (as each such term is defined in the Charter). Unauthorized disclosure of such Data may expose the University to legal liability. Data sanitization is the deliberate and permanent removal of Data from an Information Resource. This Policy defines the appropriate sanitization and disposal methods to be used.
A PDF of this policy is also available to the right.
Capitalized terms used herein without definition are defined in the Charter.
II. Policy History
The effective date of this Policy is November 1, 2013. This Policy and the other Information Security Policies replace (A) the following University Policies:
III. Policy Text
Each System Owner, Data Owner, IT Custodian and User is responsible for determining if Sensitive Data of Confidentia Data is present on the Information Resource by, for example, periodically scanning the Information Resource using software provided by CUIT or CUMC IT, and sanitizing all Information Resources with hard drives and Removable Media under his/her control prior to removal from the University in accordance with the following guidelines:
1. Non-Sensitive and Non-Confidential Data.
Data other than Sensitive Data or Confidential Data may be deleted and/or reformatted.
2. Sensitive Data and Confidential Data.
SensitiveData and Confidential Data must be sanitized in a manner that leaves the Data unrecoverable. This can be accomplished by using one of the following methods:
All paper based Sensitive Data or Confidential Data must be destroyed using cross-shredding or through a contract with an Information Security Office approved-vendor.
IV. Cross References to Related Policies and Other Documentation
The Information Security Policies and certain additional documentation referred to in this Policy are listed in Appendix A hereto.
Related Policies and Other Documentation
CUMC Data Deletion Software