Information Disposal  Policy Template

Home / Services / Virtual CISO / Policies / Information Disposal Policy Template

Information Disposal Policy
Technology equipment often contains parts which cannot simply be thrown away. Proper disposal of equipment is both environmentally responsible and often required by law. In addition, hard drives, USB drives, CD-ROMs and other storage media contain various kinds of {{company_name}} data, some of which is considered sensitive. In order to protect our constituent’s data, all storage mediums must be properly erased before being disposed of. However, simply deleting or even formatting data is not considered sufficient. When deleting files or formatting a device, data is marked for deletion, but is still accessible until being overwritten by a new file. Therefore, special tools must be used to securely erase data prior to equipment disposal.
The purpose of this Information Disposal Policy it to define the guidelines for the disposal of technology equipment and components owned by {{company_name}}.
This policy applies to any computer/technology equipment or peripheral devices that are no longer needed within {{company_name}} including, but not limited to the following: personal computers, servers, hard drives, laptops, mainframes, smart phones, or handheld computers ( i.e., Windows Mobile, iOS or Android-based devices), peripherals (i.e., keyboards, mice, speakers), printers, scanners, typewriters, compact and floppy discs, portable storage devices (i.e., USB drives), backup tapes, printed materials. All {{company_name}} employees and affiliates must comply with this policy.
Technology Equipment Disposal  
  1. When Technology assets have reached the end of their useful life they should be sent to the office for proper disposal.
  2. The office will securely erase all storage mediums using a 7 times 0x0 over-write using DD.
  3. All data including, all files and licensed software shall be removed from equipment using a 7 times 0x0 over-write, meeting Department of Defense standards.
  4. No computer or technology equipment may be sold to any individual other than through the processes identified in this policy.
  5. No computer equipment should be disposed of via skips, dumps, landfill etc. The office will properly remove all data prior to final disposal.
  6. All electronic drives must be overwritten with a 7 times 0x0 over-write. Hard drives may also be removed and rendered unreadable (drilling, crushing or other demolition methods)
  7. Computer Equipment refers to desktop, laptop, tablet or netbook computers, printers, copiers, monitors, servers, handheld devices, telephones, cell phones, disc drives or any storage device, network switches, routers, wireless access points, batteries, backup tapes, etc.
  8. The office will place a sticker on the equipment case indicating the disk wipe has been performed. The sticker will include the date and the initials of the person who performed the disk wipe.
  9. Technology equipment with non-functioning memory or storage technology will have the memory or storage device removed and it will be physically destroyed.
Client File Disposal
All client files will be electronically destroyed no more than 45 after the payment of the clients invoice. This is achieved by:
  1. Genesis will detect the invoice payment through the Xero API and add a schedule of +44 days for the folder removal.
  2. On day 44, Genesis will achieve the client folder to a tarball.
  3. The tarball will be AES 256 encrypted with a 512 bit key taken from /dev/urandom and stored in buffer. Once the file is encrypted, the buffer is flushed and the client folder is deleted.
Employee Purchase Of Disposed Equipment
  1. Equipment which is working, but reached the end of its useful life to {{company_name}}, will be made available for purchase by employees.
  2. A lottery system will be used to determine who has the opportunity to purchase available equipment.
  3. All equipment purchases must go through the lottery process. Employees cannot purchase their office computer directly or “reserve” a system. This ensures that all employees have an equal chance of obtaining equipment.
  4. Finance and Information Technology will determine an appropriate cost for each item.
  5. All purchases are final. No warranty or support will be provided with any equipment sold.
  6. Any equipment not in working order or remaining from the lottery process will be donated or disposed of according to current environmental guidelines.
  7. Information Technology has contracted with several organizations to donate or properly dispose of outdated technology assets.
  8. Prior to leaving {{company_name}} premises, all equipment must be removed from the Information Technology inventory system.
Compliance Measurement
The {{company_name}} Team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Any exceptions to the policy must be approved by the CEO in advance.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.