UIS.401.2 Data Destruction Guidelines
In support of UIS 401 Data Protection and Security Policy
To ensure Georgetown University data is protected and to minimize unauthorized exposure to the University data, following security requirements must be met in instances, not limited to, but including:
- associated asset is removed from University service for:
- end-of-life or end-of-support donation or destruction
- third-party repair or support
- data retention rules dictate that data must be removed
- data use agreements or protocols require that study or research-related data must be deleted
Upon Decommission of Assets
- Purge or securely wipe data using following applicable methods to ensure the data is unusable, inaccessible, and unable to be reconstructed
- Erasing by overwriting: Erasing by overwriting is a way of scrubbing data with random overwrite patterns – not just all zeros or another single character. A minimum of three (3) overwrites is required for the data to be erased.
- Degaussing: Degaussing is the process of erasing all the data previously written to the hard drive or tape by demagnetizing where the magnetic charge of an object is re-set to a magnetically neutral state.
- Destruction: If data cannot be overwritten or degaussing is not possible, hard drives must be physically destroyed. For drives that are defective, dead, or sufficiently unresponsive that they do not complete at least three overwrite minimum, physical destruction is required.
- Transfer all University data from hardware asset with an approval to University file sharing system or departmental folder before the asset is repurposed or removed from University services.
- Install generic image if hardware asset is permitted for donation or transferred externally, including trade-in or replace as part of a warranty or repair contract.
- Remove all licensed, or Georgetown-specific software or operating systems from hardware asset. Attestation of erasure of licensed software and the University data is required for periodic audit purposes.
Upon Removal From GU Box
- Delete the files and folders that are required to be removed
- Access the “trash” and delete the files and folders from the trash repository (user must be a folder “owner” or “editor” in order to delete data)