All data on computers or electronic storage devices (including, but not limited to, desktop, laptop, tablets, servers, or handheld devices) must be cleaned and the device reimaged prior to transfer to another user.
Reason for Policy/Purpose
This policy is intended to prevent the inadvertent release of confidential, protected, or personally identifiable information (PII) contained on electronic storage devices when physical possession or stewardship is changed. Furthermore, it seeks to promote compliance with federal and state data protection regulations as it pertains to personally identifiable information and financial records.
Who Needs to Know This Policy
All members of The University of Southern Mississippi (USM) community.
Website Address for this Policy
1.1 When the user of a University device changes, the data stored on the device must be cleaned. Users must initiate the data cleaning process, as appropriate for each case listed below:
1.1.1 For a “Device Transfer” (the responsibility and possession of a device is being transferred from one department, business unit, administrative area, or individual to another), the user of the device must contact the iTech Help Desk and arrange to have the device cleaned and reimaged.
1.1.2 For a “Computer Exchange Program (CEP) transaction” (a device is either exchanged with, or returned to, the CEP program), the user of the device must contact firstname.lastname@example.org. A valid, complete backup of all necessary data should be completed prior to contracting ITCEP (see item 2.3).
1.1.3 For a “User Status Change” (the employment status of a user changes. Changes can include, but are not limited to: resignation, retirement, position elimination, termination, or death), the user’s supervisor must contact the iTech Help Desk and arrange to have the device cleaned and reimaged (see item 2.3).
1.1.4 For a “Surplus device” (when a device is to be released from the University inventory), the user will follow the Computer Decommission Process as defined in the following policy: https://www.usm.edu/institutional-policies/policy-acaf-it-018.
1.1.5 For any other case involving the change of parties responsible for a device, please contact the iTech Help Desk for guidance.
1.2 With the exception of iTech employees, no one should attempt to clean the device. Any attempt to do so will not satisfy the policy requirements.
2.0 Retention of Data
2.1 If the University owned device contains University data which should be retained by the University /department/ administrative unit, this information should be properly saved and backed up prior to the cleaning and reimaging performed by iTech.
2.2 It is the responsibility of the department to ensure that such University data files necessary to be retained are properly backed up prior to the cleaning and reimaging performed by iTech.
2.3 A backup must be obtained of any University device that is being reassigned due to separation of its assigned user from University employment, either through resignation, retirement, death, termination, position elimination or any other means. The employing department of the separating employee must immediately notify iTech of such separation by placing a work order through the Help Desk to initiate the computer backup process and subsequent cleaning and reimaging of the device. This device backup may be accessed for future business use by the University at its sole discretion and without notice.
2.4 iTech can archive files for the user, but it will be the user’s responsibility to explicitly indicate which files and data must be retained.
2.5 iTech, its agents and employees, and USM cannot be held responsible for data lost to the cleaning process.
2.6 If you have particular concerns about the data on a device, contact the iTech Security Team at email@example.com for recommendations and assistance.
3.0 Devices Taken Out of Service
3.1 When the University device is being taken out of service and sent to surplus (the device is to be released from the University inventory), the user will follow the Computer Decommission Process as defined in the following policy: https://www.usm.edu/institutional-policies/policy-acaf-it-018.
4.1 Any employee found to have violated this policy will be subject to disciplinary action, up to and including suspension, expulsion and/or termination of employment in accordance with procedures defined by USM administrative policies stated in the handbook governing that individual.
4.2 Violations of any provision of this policy may result in civil liability and/or criminal penalties as prescribed by federal and state laws.
The Chief Information Officer is responsible for the review of this policy every four years (or whenever circumstances require immediate review).
See Appendix A for Flowchart
See ACAF-IT-018 Computer Decommission Process
Amendments: Month, Day, Year – summary of changes10/28/13 – Creation
1/9/14 – Added Flowchart as Appendix A
3/3/14 – minor changes to Flowchart