Effective Date: October, 2013
Revised: November 2014
A large volume of Data is stored on Systems (as each such term is defined in the Columbia University Information Security Charter (the “Charter”) http://policylibrary.columbia.edu/information-security-charter throughout Columbia University. A substantial amount of this Data consists of Sensitive Data or Confidential Data (as each such term is defined in the Charter). Unauthorized disclosure of such Data may expose the University to legal liability. Data sanitization is the deliberate and permanent removal of Data from an Information Resource. This Policy defines the appropriate sanitization and disposal methods to be used.
A PDF of this policy is also available to the right.
Capitalized terms used herein without definition are defined in the Charter.
II. Policy History
The effective date of this Policy is November 1, 2013. This Policy and the other Information Security Policies replace (A) the following University Policies:
III. Policy Text
Each System Owner, Data Owner, IT Custodian and User is responsible for determining if Sensitive Data of Confidentia Data is present on the Information Resource by, for example, periodically scanning the Information Resource using software provided by CUIT or CUMC IT, and sanitizing all Information Resources with hard drives and Removable Media under his/her control prior to removal from the University in accordance with the following guidelines:
A. Non-Sensitive and Non-Confidential Data.
Data other than Sensitive Data or Confidential Data may be deleted and/or reformatted.
B. Sensitive Data and Confidential Data.
Sensitive Data and Confidential Data must be sanitized or disposed of in a manner that leaves the Data unrecoverable. Except as provided below, this can be accomplished by using one of the following methods:
Sensitive Data constituting EPHI must be sanitized and disposed of in accordance with the CUMC Information Security Procedures.
All paper based Sensitive Data or Confidential Data must be destroyed using cross-shredding or through a contract with an Information Security Office approved-vendor.
IV. Cross References to Related Policies and Other Documentation
The Information Security Policies and certain additional documentation referred to in this Policy are listed in Appendix A hereto.
Related Policies and Other Documentation
CUMC Information Security Procedures
Data Classification Policy