Email this Article Email   

CHIPS Articles: Reduce PII Loss by Proper Disposal/Sanitization of Unclass Equipment

Reduce PII Loss by Proper Disposal/Sanitization of Unclass Equipment
By DON CIO Privacy Team - April-June 2009
During the past year, the Department of the Navy has experienced problems relating to turning in excess information technology and office equipment that contain personally identifiable information (PII).

Disposed equipment most commonly found to contain PII includes: office desks, safes, file cabinets, copiers and computer hard drives. Recent audits by the Department of Defense Inspector General and the Naval Audit Service confirm that DON turn-in procedures have not been consistently followed, are inadequate or out-of-date.

While much of the turn-in process involves the Defense Reutilization Marketing Offices (DRMO), Navy Marine Corps Intranet (NMCI) or other DON network owners, the local command or unit is responsible for information security, physical security and property accountability for all excess unclassified equipment awaiting sanitization, shipment to DRMO, or release to another DoD component or donation activity.

The following is a list of lessons learned that should be considered by local commands or units when preparing equipment for disposal.

• Use DRMS Instruction 4160.14, dated May 12, 2008, which provides guidance on turn-in of excess equipment to DRMO.
• Remove all drawers in desks and file cabinets to ensure stray documents are removed.
• Ensure all lockable drawers or cabinets are open for inspection.
• Refer to Assistant Secretary of Defense (ASD) Memo "Disposition of Unclassified DoD Computer Hard Drives," dated June 4, 2001, which provides specific instructions on how to dispose of hard drives in the DoD.
• Use National Security Agency approved sanitization equipment to properly overwrite and degauss excess unclassified hard drives.
• Ensure copier hard drives have been properly overwritten and degaussed.
• Develop written policies and procedures to clearly define local command/unit roles and responsibilities.
• Provide training for all personnel on how to accurately prepare and process excess unclassified IT equipment before forwarding to DRMO.
• Use the Web-based Electronic Turn-in Document (ETID) system for all equipment bound for DRMO.
• Ensure verification labels are placed on all hard drives that have been degaussed and overwritten.
• Keep accurate destruction and turn-in records for a minimum of five years.
TAGS: Privacy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer