Sanitization or Disposal Procedures


The procedures described in this section support the Sanitization and Disposal of Information Resources Policy. Sanitization and disposal tasks will be conducted by Certified IT Groups. Work instructions for these procedures will be documented and maintained by Certified IT Groups. A template of these work instructions will be developed by the CUIMC Information Security Office and provided to Certified IT Groups to be completed for their specific implementations.

Please see the main CUIMC Information Security Procedures page for an overview, effective date and definitions.

A. Basic Sanitization/Disposal Procedure

When an Endpoint or Removable Media will be retired, a specific set of procedures must be followed, based on the circumstances of the situation. All requests will follow the following basic procedure:

  1. A Request for Sanitization or Disposal form will be filled out by the User of the Endpoint in the CUIMC IT ServiceNow system.
  2. The Request for Sanitization or Disposal will indicate one of the following requests:
    1. Disposal of the Endpoint;
    2. Disposal of the internal media of the Endpoint;
    3. Sanitization of the internal media of the Endpoint so it may be repurposed; or
    4. Sanitization of the Removable Media.
  3. The appropriate Certified IT Group will be notified via email of the User’s request.
  4. The appropriate IT Custodian within the Certified IT Group will carry out the request and ensure that all documentation in the CUIMC IT ServiceNow system is complete. The documentation will contain, at a minimum:
    1. Make and Model of Endpoint or Removable Media;
    2. Serial Number, if applicable;
    3. MAC address (network interface hardware address), if applicable;
    4. Dates of disposal/sanitization; and
    5. Method used for sanitization or disposal.
  5. The IT Custodian will update the Certified IT Group’s inventory to reflect that the Endpoint or Removable Media has been decommissioned. 

All requests will be documented, stored and maintained in the CUIMC IT ServiceNow system for a period of 6 years.

1. Disposal of Managed Endpoints

If a User asks for a managed endpoint to be disposed of, the following procedures will be followed in addition to the Basic Sanitization/Disposal Procedure described above:

  1. The User will indicate on the Request for Sanitization or Disposal form “Dispose of the Endpoint”.
  2. The relevant additional identifiers of the Endpoint will be captured, including:
    1. Hostname;
    2. UNI/CWID of the User; and
    3. Endpoint location.
  3. The Endpoint will be collected from the User by the User’s Certified IT Group and stored in a physically secured location, with an access badge reader and video surveillance, prior to disposal.
  4. The internal media of the Endpoint will be removed, and if not immediately disposed of, will be labeled to indicate the Endpoint from which the media was removed.
  5. The internal media will be destroyed and rendered inoperable through methods described in the Sanitization and Disposal of Information Resources Policy. This process will be documented by the Certified IT Group in the CUIMC IT ServiceNow system.
  6. A green Device Disposal Tag will be affixed to the Endpoint.
  7. The Endpoint and/or destroyed media will be given to Facilities Management, which will work with the Department of Environmental Health and Safety to dispose of the Endpoint and media in an environmentally conscious manner. 

2. Sanitization or Disposal of Personally Owned Endpoints

When a User is no longer affiliated with CUIMC, all CUIMC Data must be sanitized or destroyed. Managers of departments or business units are required to ensure that personally owned Endpoints are properly sanitized or disposed of before the User leaves CUIMC. The following procedure will be followed:

  1. The User’s supervisor will indicate on the Request for Sanitization or Disposal form either:
    1. “Sanitize Data from Personally Owned Endpoint” or
    2. “Dispose of Personally Owned Endpoint”.
  2. The relevant additional identifiers of the Endpoint will be captured, including:
    1. Hostname;
    2. UNI/CWID of User; and
    3. Endpoint location.
  3. An IT Custodian of a Certified IT Group will conduct the secure deletion of CUIMC Data from the personally owned Endpoint, or will follow the Disposal of Managed Endpoints procedure described above if the device will be disposed of. 

B. Sanitization or Disposal of Internal Media or Removable Media

If any internal media or Removable Media in an Endpoint contain EPHI, the following special procedures must be followed when the internal media or Removable Media are to be disposed of, or re-provisioned for non-EPHI use.

1. Procedure

If requested by the department or business unit, the internal media or Removable Media of an Endpoint may be disposed of rather than the entire Endpoint itself. In this circumstance, the Disposal of Managed Endpoints Procedure described above will be followed, with the following changes:

  1. The User will indicate on the Request for Sanitization and Disposal form the specific request. The options are:
    1. Disposal of internal media;
    2. Sanitization of internal media;
    3. Disposal of Removable Media; or
    4. Sanitization of Removable Media.
  2. The request will be forwarded to the User’s Certified IT Group by email.
  3. The Certified IT Group will (a) tag any media to be disposed of, or (b) secure wipe any media selected to be sanitized. In either case, the Certified IT Group will process the request based on the methods described in the Sanitization and Disposal of Information Resources Policy.

All requests will be documented, stored and maintained in the CUIMC IT ServiceNow system for a period of 6 years.