Skip to main content Skip to site utility navigation Skip to main site navigation Skip to site search Skip to footer
Login
Hide Menu
Menu

Secure Disposal or Reuse of Equipment Procedure

Ref. No. Executive sponsor Policy steward Approval authority First approved Last reviewed Effective date Next review
64.07 Vice President, College Services and Strategy Director, Digital Innovation and Technology Executive Council Feb. 19, 2019     Jan. 2020
  1. Purpose
    1. The purpose of this procedure is to ensure that no information classified in the NSCC Information Security Classification Procedure (64.02) as “Highly Confidential”, “Confidential” or “Internal” is inadvertently or purposely released to any person or entity not authorized to have access to such information. This includes, but is not limited to, all data stored on any media device listed in Section 3.4 of this procedure.
  1. Scope
    1. This procedure is associated with the NSCC Information Security Policy (64.01). All definitions, general roles and responsibilities, and compliance measures contained with Policy 64.01 apply to this procedure.
    2. This procedure applies to all NSCC Community members, and any vendors, contractors, and third parties conducting business with NSCC, as defined in Section 3.1 of this procedure.
  1. Definitions
Term Definition
3.1 NSCC Community A member of the NSCC Community under this procedure includes, but is not limited to the following:
  1. Employee: any person who is employed by NSCC or provides services to NSCC under an employment contract.
  2. Student: any person enrolled in study at NSCC.
  3. Volunteer: any person performing work for NSCC in an unpaid capacity.
  4. Contractor: any individual or company (and its employees) who provides services to NSCC under a service contract (i.e. a non-employee/employer relationship)
  5. Community Member: any person working in collaboration with NSCC for a business or academic purpose or an external community member
3.2 Sensitive Information For the purposes of this procedure, Sensitive Information is all information classified in the NSCC Information Security Classification Procedure (64.02) as “Highly Confidential”, “Confidential” or “Internal”.
3.3 Data For the purpose of this procedure, any NSCC sensitive information stored on any media device. This includes desktop computers, laptops, tablets, smart phones, printers, copiers, faxes, network equipment and any mobile device not specified in the list above.
3.4 Decommissioned Device Any media device that NSCC has taken out of inventory that will be stored, sold, donated or destroyed.
3.5 Mobile Device For the purpose of this procedure any portable device that can store, transmit or receive data.
  1. Procedure
    1. All Sensitive Information must be given the highest level of protection against unauthorized access, modification or destruction.
    2. Before disposal, donation, or recycling, the Digital Innovation & Technology (DI & Tech) department must validate that sensitive information has been removed from the Decommissioned Device. This validation/data destruction process must take place before releasing any Decommissioned Device. As such, all storage media or media devices will be examined to ensure that sensitive data, or any licensed software, has been removed or securely overwritten before the media is disposed of.
    3. Inventory of Decommissioned Devices
      The DI & Tech department will maintain an inventory of all media devices that have been decommissioned. The inventory must also reflect all actions taken to clear all stored information from the devices.
    4. Destroying Used or Decommissioned Equipment
      NSCC will utilize industry accepted equipment destruction methodologies when a device is no longer needed or if a device is damaged and the components that store data cannot be salvaged or reused. This includes confirming that any entity contracted by NSCC to destroy used equipment follows industry accepted equipment destruction methodologies.
    5. Digital Media will be disposed of/decommissioned so that the data is rendered unreadable and unrecoverable:
      1. Staff Computer Hard Drives (reuse) will be wiped by a low-level format.
      2. CD/DVD media will be physically destroyed or shredded.
      3. USB/External devices will be physically destroyed or wiped by low level format.
      4. Server storage will be physically destroyed or wiped by low level format.
      5. Firmware devices will be wiped by low level format.
    6. Returning a Mobile Device
      The DI & Tech department will inventory and track all mobile devices issued to NSCC Community members that may be given a device to use. All sensitive data will immediately be destroyed on a mobile device that is decommissioned by NSCC.
    7. Enforcement Responsibility
      The procedure will be monitored by the Director, Digital Innovation & Technology and any suggested changes should be submitted through that office.
    8. All exception requests, temporary or permanent, must be approved in writing by the Director, Digital Innovation & Technology.
    9. Revisions to NSCC policies and procedures must follow the policy approval process provided in the Policy Development, Renewal and Approval Policy (78.01) and Procedures (78.02)
  1. Policy Supports

Related Policies & Procedures

64.01 Information Security Policy
64.02 Information Security Classification Procedure
64.03 Password Management Procedure
64.04 Access Control Procedure
64.05 Physical and Environmental Security Procedure
64.06 Physical Access to IT Infrastructure Procedure
64.07 Secure Disposal or Reuse of Equipment Procedure

Top