The policy and associated guidance provide requirements for reuse or disposal of WashU systems containing protected or confidential information.
This policy is applicable to all WashU systems and network segments.
The audience for this policy is all WashU faculty, staff, and students. It also applies for all other agents of the university with access to WashU information and network for contracted services. This includes, but not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers. The titles will be referred collectively hereafter as “WashU community”.
Protected and confidential information is required to be permanently rendered unrecoverable from all forms of media before it is disposed or reused. This is to prevent recovery of data by unauthorized sources. Logs will be maintained and reviewed to ensure media is properly disposed or reused.
All forms of media will be secured physically while in transit to reduce the risk of unauthorized access, corruption, or misuse of the information.
The department, school, or their contracted vendors will store the all forms of media in a secure location prior to destruction. Destruction vendors must have a signed HIPAA BAA on file.
The Office of Information Security (OIS) will measure the compliance to this policy through various methods, including, but not limited to – reports, internal/external audits, and feedback to the policy owner. Exceptions to the policy must be approved by the OIS in advance. Non-compliance will be addressed with management, Area Specific Compliance Office, Human Resources, or the Office of Student Conduct.
Information Classification Policy
This policy will be reviewed at a minimum every three years.
Title: Media Reuse and Disposal Policy
Version Number: 3.0
Reference Number: MP-01.01
Creation Date: February 2, 2011
Approved By: Security and Privacy Governance Committee
Approval Date: April 6, 2016
Scheduled Review Date: March 1, 2022
Revision Date: February 26, 2019
Revision Approval Date: March 15, 2019
Policy Owner: Office of Information Security