I. Overview

George Mason University Policy Number 1311, Information Technology Security Program, mandates compliance with the Information Technology Security Standard. This standard requires information system media (both digital and non-digital) to be sanitized or destroyed prior to their disposal or release for reuse (e.g. for interdepartmental transfers or return for replacement). The sanitization process involves removing information from information system media such that the information cannot be retrieved or reconstructed.

This document provides an overview of the media sanitization process specifically on Mason-owned electronic devices that will be released for reuse (e.g. for interdepartmental transfers or return for replacement). To dispose of surplus Mason-owned electronic devices for disposal, contact University Central Receiving.

Additionally, one of the requirements for Media Protection in NIST SP 800-53 is to document the data sanitization process of electronic devices prior to their disposal or release for reuse. This document addresses this requirement which shows that the Mason-owned electronic devices have been sanitized and verified.

The process described in this document applies to all university departments and offices at all George Mason University locations that are planning to release for reuse Mason-owned electronic devices.

II. Roles

The following roles have been identified for this process:

Role Responsibilities
Departmental Staff #1
  • Refers to ITS.ITS-PROC002, Media Sanitization Procedure for guidance and instructions on data sanitization technique to use on a Mason-owned electronic device
  • Performs the appropriate media sanitization technique
  • Fills out the upper part of the Data Sanitization Certification Sticker to document the data sanitization of information system media
Departmental Staff #2
  • Performs verification that data have been successfully removed from the information system media
  • Fills out the bottom part of the Data Sanitization Certification Sticker
  • Applies the sticker on the electronic device before its release for reuse

 

III. Process

This workflow provides a graphical representation of the data sanitization process on Mason-owned electronic devices prior to their release for reuse. Process narratives are provided in the subsections below.

Figure 1: Data Sanitization Process

    1. Refer to ITS.ITS-PROC002, Media Sanitization Procedure to determine the appropriate data sanitization technique

      ACTIVITY INPUTS: information system media or Mason-owned electronic device
      ACTIVITY OUTPUTS: data sanitization techniqueRefer to ITS.ITS-PROC002, Media Sanitization

      Procedure for guidance and instructions on data sanitization technique to use on a Mason-owned electronic device prior to its release for reuse.

 

    1. Perform the Recommended Data Sanitization Technique

      ACTIVITY INPUTS: data sanitization technique
      ACTIVITY OUTPUTS: sanitized Mason-owned electronic device

      Perform the recommended data sanitization technique on information system media or a Mason-owned electronic device.

 

    1. Document Data Sanitization Process

      ACTIVITY INPUTS: Data Sanitization Certification sticker
      ACTIVITY OUTPUTS: Data Sanitization Certification sticker

      Refer to ITS.ITS-PROC002, Media Sanitization Procedure for instructions in documenting the data sanitization of information system media or Mason-owned electronic device.

 

  1. Verify and Document Verification

    ACTIVITY INPUTS: sanitized Mason-owned electronic device, Data Sanitization Certification sticker
    ACTIVITY OUTPUTS: Data Sanitization Certification sticker

    Refer to ITS.ITS-PROC002, Media Sanitization Procedure for instructions in verifying and documenting a successful media sanitization process.

IV. Artifacts

The following is a general list of the artifacts referenced in the process:

  • Sanitized information system media or Mason-owned electronic device
  • Data Sanitization Certification sticker

V. Dates

  1. Effective Date:This process will become effective upon approval.
  2. Date of Most Recent Review:8/21/20

VI. Timetable for Review

This process shall be reviewed every year or more frequently as needed.

VII. Signatures

The following authorized party hereby approves the above process flow and documentation:

Curtis McNay
IT Security Director
Information Technology Services

Version: 1.1
Date of last revision: 21 August 2020