Helpful Links

Navigate OHIO

About OHIO Admission Athletics
Academics Life at OHIO

Connect With Us

Bobcat Depot
1 Park Place
Athens, OH 45701
help.ohio.edu

Media Sanitization Standard

Purpose

The purpose of this standard is to outline the proper methods by which to sanitize media prior to its disposal, release, or reuse (for both digital and paper media). Proper media sanitization ensures university information is not unintentionally disclosed to unauthorized viewers.

Scope

This standard applies to all university faculty, staff, students, and any individuals who have access to university data, such as retired or emeritus staff and faculty, contractors, or volunteers.

Standard

There are two primary types of media: physical copy (paper, and electronic copy (digital)). With the ever-evolving state of technology, a current inexhaustible list of media cannot be maintained. As such, the concept of sanitization refers to the information contained on the media. Regardless of the type, media should be properly sanitized prior to its release for reuse or destruction by the individual responsible for the data. Each individual responsible for the data is also responsible for classifying their data in accordance with university policy 93.001 Data Classification  to determine the appropriate sanitization method. Failure to comply with proper sanitization methods for the corresponding classification may result in a breach and violation of university policy 91.005 Information Security. The Information Security Office can consult on the appropriate sanitization method for sensitive data if needed. 

Sanitization Methods

The National Institute of Standards and Technology (NIST) provides industry standards as a baseline for sanitizing media. Per NIST 800-88, “Sanitization refers to a process that renders access to target data on the media infeasible for a given level of effort.” The following methods are identified by NIST as being appropriate for most data. For specific guidelines associated with the media reference NIST 800-88 Appendix A.

  • Clearing is the technique for overwriting the entirety of the storage to render the sensitive data unreadable. For electronic copy this can be done with a standard erase procedure or by factory resetting the device so long as the interface presented to a user cannot allow for data recovery. There are no clearing techniques for physical copy.
  • Purging is the technique for erasing data in a way that it’s infeasible to recover the data even with the most advanced laboratory techniques. 
    • For electronic copy this can be done with 3rd party software (for example DBAN, CCleaner, or Eraser) or through crypto-graphical erasing, so long as it is consistent with recommended techniques from NIST 800-88. 
    • There are no purging techniques for physical copy.
  • Destroying is the technique for obliterating any feasible opportunity at recovering any data on the media by rendering it unusable. 
    • For electronic copy this is done through first clearing or purging the drive, then physically destroying the media so that it can no longer be used for data storage. University Surplus and Moving has a process for destroying electronic copy, and as such will provide the unit with a certificate of destruction upon completion. 
    • For physical copy, destruction can be accomplished via a cross-cut shredder, pulverizer, incinerator, or disposal with a contracted third-party document destruction company.

Media Sanitization

Below are the recommended sanitization techniques for data classified in accordance with University policy 91.003 Data Classification.

Sanitization Method

Low Data Sensitivity

Medium Data Sensitivity

High Data Sensitivity

Clearing

Recommended

Required

Required

Purging

Optional

Recommended

Required

Destroying

Optional

Optional

Required

References

  1. Policy 91.003 Data Classification
  2. Policy 91.005 Information Security
  3. Policy 93.002 Records Management and Archiving
  4. Policy 91.006 Information Security Risk Management
  5. NIST 800 Series Publications

Exceptions

All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.

Request an exception

Complete Exception request form.

Governance

This standard will be reviewed and approved by the university Information Security Office as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups: 

  • Information Technology: Ed Carter (Chair) 

  • Human Resources: Michael Courtney 

  • Faculty: Hans Kruse 

  • Senior Associate Dean: Brian McCarthy

  • Finance and Administration: Julie Allison

  •  Faculty: Shawn Ostermann 

  • Regional Higher Education: Larry Tumblin 

  • Research and Sponsored Programs: Susan Robb

  • Enterprise Risk Management and Insurance: Larry Wines 

History

Draft versions of this policy were circulated for review and approved on November 2, 2023.