Sanitization and Disposal of Information Resources Policy
Published: March 2010
Revised: March 2020
A large volume of Data is stored on Systems (as each such term is defined in the OMG Information Security Charter (the “Charter”) https://www.omahamediagroup.com/isc throughout OMG. A substantial amount of this Data consists of Sensitive Data or Confidential Data (as each such term is defined in the Charter). Unauthorized disclosure of such Data may expose OMG to legal liability. Data sanitization is the deliberate and permanent removal of Data from an Information Resource. This Policy defines the appropriate sanitization and disposal methods to be used.
Capitalized terms used herein without definition are defined in the Charter.
II. Policy History
- The effective date of this Policy is March 30, 2010.
- Reviewed and/or revised March 14, 2020.
III. Policy Text
Each System Owner, Data Owner, IT Custodian and User is responsible for determining if Sensitive Data or Confidential Data is present on the Information Resource by, for example, periodically scanning the Information Resource using software provided by OMGIT and sanitizing all Information Resources with hard drives and Removable Media under his/her control prior to removal from OMG in accordance with the following guidelines:
A. Non-Sensitive and Non-Confidential Data.
Data other than Sensitive Data or Confidential Data may be deleted and/or re-formatted.
B. Sensitive Data and Confidential Data
Sensitive Data and Confidential Data.
Sensitive Data and Confidential Data must be sanitized or disposed of in a manner that leaves
the Data fully unrecoverable. Except as provided below, this can be accomplished by using
one of the following methods:
- Data deletion software provided by OMGIT;
- Information Security Office-approved destruction hardware to physically render the Data storage media inoperable, such as degaussing, shredding, pulverizing or melting;
- Release of the Information Resource containing storage media to OMGIT for destruction and disposal; or
- Release of the Information Resource containing storage media to an Information Security Office-approved vendor.
Sensitive Data constituting ePHI must be sanitized and disposed of.
All paper based Sensitive Data or Confidential Data must be destroyed using cross-shredding or
through a contract with an Information Security Office approved-vendor.
IV. Cross References to Related Policies
The Information Security Policies and certain additional documentation referred to in this Policy are listed in Appendix A hereto.
- Data Classification Policy
- Information Security Charter