Media Protection

Sanitize or destroy information system media before disposal or release for reuse as per APM 30.16 Section D-8.

1. Any media must be sanitized prior to reuse or destroyed prior to disposal using an approved method.

   This applies to: Low/Moderate/High-Risk data.

   1. Hard Drives
      1. If the device will not be reused, the device must be destroyed via OIT drive crusher.
      2. Overwrite the data on the drive with a minimum of one pass of all zeros or per NIST 800-88.
      3. Use one of the ATA Sanitize Device feature set commands, if supported.
      4. Use the ATA Security feature set's "SECURE ERASE UNIT" command, if supported
   2. Solid state drives (SSDs)
      1. If the device will not be reused, the device must be destroyed via Shred, Disintegrate, Pulverize or Incinerate by burning the device in a licensed incinerator as per NIST SP 800-88.
      2. Use the ATA Security feature set's "SECURITY ERASE UNIT" command if supported.
      3. Use the ATA Sanitize command, if supported (block erase, cryptographic erase).
         1. High-risk and regulated data must use FIPS 140 validated encryption modules.
      4. For NVMe SSDs, use the NVM Express Format command, if supported.
      5. ActiveKill software has been approved for disk wipe.
      6. Cryptographic Erase by issuing commands as necessary to cause all MEKs to be changed.
   3. Removable Media
      1. If the device will not be reused, the device must be destroyed via Shred, Disintegrate, Pulverize or Incinerate by burning the device in a licensed incinerator as per NIST SP 800-88.
      2. Overwrite the data on the drive with two passes. (Non-solid state media only)
         1. The first pass should use a fixed value, and it's complemented for the second pass.
      3. Cryptographic Erase by issuing commands as necessary to cause all MEKs to be changed.
         1. High-risk and regulated data must use FIPS 140 validated encryption modules.
   4. Optical Media
      1. The device must be destroyed via shredding using some paper shredders, or via an approved destruction service as per NIST SP 800-88.
   5. Mobile devices
      1. If the device will not be reused, does not support encryption or has no factory erase/wipe function, the device must be destroyed via Shred, Disintegrate, Pulverize or Incinerate by burning the device in a licensed incinerator as per NIST SP 800-88.
      2. Manufacturer method of media sanitization such as but not limited to factory reset or erase data function.
         1. Devices must be encrypted prior to sanitization.
      3. For unmanaged personal devices Microsoft app protection is considered sufficient.
         1. If unmanaged applications are used on personal devices for U of I data, the data or device may be wiped by the university as per APM 20.13.

1. An appropriate attestation of either disposal or sanitization must be provided and updated within the IT asset management system.

   This applies to: Low/Moderate/High Risk data.

2. Certificate of destruction from an authorized application or vendor such as but not limited to the Activekill Erase certificate or Iron Mountain certificate of destruction.
3. Verification from OIT personnel of successful destruction via the drive crusher within a ticket associated with asset.
4. Verification from OIT personnel of successful completion for mobile device sanitization.

To ensure data is protected while stored on systems the following standards must be met:

1. Workstations and laptops will be encrypted by default using Bitlocker for Windows and Filevault on MacOS.
   1. Workstations and laptops explicitly categorized for only low-risk data may be exempted without a formal risk exception.
   2. Encryption will be AES-256 or stronger unless otherwise approved by OIT Security.
2. University data on mobile devices must use apps that are encrypted via the OIT Managed Microsoft Application Protection Policy.
3. High-risk applications require that a system is encrypted prior to access, including mobile devices.
4. High-risk data must be encrypted using OIT-managed encryption when stored media including but not limited to:
   1. System drives such as hard disks and solid state drives.
   2. Removable media such as usb drives or external drives.
5. Systems that are housed within approved university data centers are exempt from this encryption requirement.

To ensure the confidentiality of data across networks the following standards must be met:

1. Moderate- and high-risk application data must be encrypted.
   1. Authentication Secrets such as passwords, API keys or PSKs, are considered high-risk.
2. Regulated data must meet encryption requirements for the regulation.

Personal devices or devices otherwise not managed or approved by OIT must not be used to access, store, transmit or process high-risk data.

Backups containing moderate- and high-risk data must be protected by current encryption standards or other approved safeguards.

To ensure data is handled appropriately data and assets containing data must be marked appropriately.

1. Regulated data such as CUI must also be marked in accordance with regulation.

   Applies to: Moderate / High