Data protection on U-owned devices, from first login to end of life
In a perfect world, university employees think about data protection from the moment they take possession of a U-owned device.
“The University of Utah is an information-rich environment. As such, we try to consistently reinforce that we all have a shared responsibility to secure this information,” said Trevor Long, associate director for Governance, Risk & Compliance team in UIT’s Information Security Office.
Long said that employees should regularly review Information Security Policy 4-004, which addresses the acceptable use of everything from university email accounts, remote access, storage resources like Box, databases, servers, wireless networks, software, all the way to U-issued laptops.
“Devices that contain restricted or sensitive information, for example, should be encrypted as appropriate,” he said, referring back to the related policy rule. “However, as a best practice we recommend that all mobile devices be encrypted.”
But what happens when these devices become obsolete, unused or unwanted?
Electronic waste, or e-waste, is an escalating problem. According to a 2019 report published by the World Economic Forum, it’s the world’s fastest-growing waste stream — basically anything with a plug, electric cord or battery that reaches its end of life.
That’s a lot of waste, and a lot of information.
Getting rid of sensitive information used to mean a paper shredder, but electronic devices are different. They leave digital breadcrumbs, and if not properly destroyed, present a golden opportunity for the wrong people with the right hardware to salvage our information.
University Surplus and Salvage collects e-waste for the university and disposes of it through approved downstream markets. If you believe that a U-owned device has become obsolete, first contact them at 801-581-7917 or email@example.com for instructions, including how to properly document the request.
Surplus and Salvage Associate Director Clifton Grindstaff explained how his group handles U-owned computers and servers with a storage device, such as a hard drive, or persistent memory.
Hard drives, he said, are removed and destroyed in an electronics shredder, hard drive-crushing machine, or a hole is drilled where the platter resides. This helps ensure that sensitive, proprietary university, or affiliate information is destroyed.
“The university errs on the side that all computers or devices may contain sensitive data,” Grindstaff said.
Trade-ins, he added, are allowed after the hard drive is handled as above, in accordance with Information Security Policy 4-004, Media Sanitization and Destruction regulation, and Accountability for Noncapital Equipment Policy 3-041.
Personal e-waste should be dropped at an annual electronics recycling event on campus such as U Recycle Day, or taken to electronics retailers like Best Buy or Staples, which send them to recyclers. The Environmental Protection Agency provides information on manufacturers and retailers that offer options to donate or recycle electronics.
Whether a U-owned device is being used for the first time or is ready to retire, keeping important data out of the wrong hands is critical to information security at the U.
“We all have a role in securing the university’s data. Information security can’t and shouldn’t be left to UIT alone,” Long said.
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.