<Logo> <Company Name> Normal

Disposal and Destruction Policy

Organization: Document No:
Department: Revision: 0.1
Section: Sheet: 1 of 9

Table of Contents
1. Introduction to Disposal and Destructions Policy......................................................................4
2. Purpose...................................................................................................................................................... 4
3. Scope........................................................................................................................................................... 4
4. Policy.......................................................................................................................................................... 4
4.1 Disposal & Destruction of paper-based Records..........................................................................4
4.2 Disposal & Destruction of Media..........................................................................................................4
4.3 Destruction of Equipment.......................................................................................................................5
4.4 Disposition of Excess Equipment........................................................................................................5
4.5 Sending a hard drive out for repair or for data recovery:........................................................5
4.6 Repairing a hard drive under warranty:..........................................................................................5
4.7 Overwriting hard drives for sanitization:........................................................................................6
4.8 Clearing data:................................................................................................................................................6
4.9 Reuse and redistribution of IT Asset..................................................................................................6
4.10 Certification and Audit.............................................................................................................................6
4.11 Record Asset Inventory............................................................................................................................7
4.12 Penalties......................................................................................................................................................... 7
5. Destruction Details................................................................................................................................ 7
6. Information Deletion............................................................................................................................ 7
7. Secure disposal or re-use of equipment.........................................................................................9
 Disposal and Destruction Policy

Document Control
Document Version History
This table shows a record of significant changes to the document.

Version Date Author Description of Change

0.1 Draft

APPROVALS

This table shows the approvals on this document for circulation, use, and withdrawal.

Version Date Approver Title/Authority Approval Remarks

1.0
1.1
1.2

Document No: Sheet: 2 of 9

Revision No: Issue Date: xx-xxx-xx
 Disposal and Destruction Policy

LIST OF ABBREVIATIONS

Index Abbreviation Stands For

I IT Information Technology

2 SLA Service Level Agreement

3 IOT Internet of things

4 IAS International Accounting Standards

5 FDP Finance Department

6 ITSM Information Technology Service Management

7 NDA Non-Disclosure Agreement

Document No: Sheet: 3 of 9

Revision No: Issue Date: xx-xxx-xx
 Disposal and Destruction Policy

1. Introduction to Disposal and Destructions Policy

IT Assets are very critical as they have information of sensitive data. <COMPANY NAME> is
either creating, handling information and equipment’s, and it has responsibility to securely
dispose of IT Assets, information & equipment, which are owned by <COMPANY NAME>
and are no longer required or to be destructed for security reasons.

Disposal and Destruction Policy defines how the process of disposal and destruction of IT
assets, namely information, Media, and Equipment’s.

2. Purpose
Disposal and Destruction policy defines the roles and responsibilities of staff in ensuring the
secure disposal of <COMPANY NAME> IT Assets, Equipment & information. This policy aims
to provide a rigorous method to ensure that IT Assets are deemed “End of Life” or for
security reasons, must be disposed and destructed, as per the statute of this policy.

3. Scope
The integrity of information assets must be always maintained.

This policy applies to all the users in the Organization, including temporary users, visitors
with temporary access to services with limited or unlimited access time. All hardcopy that
requires destruction are disposed and destructed using this policy guidelines.

External media shall be disposed of in a method that ensures that the confidentiality and
security of Information Assets is not compromised.

4. Policy
4.1 Disposal & Destruction of paper-based Records
There are many records and documents shall be prepared & maintained in paper form. It is
therefore essential that documents that are maintained on paper shall be shredded, or
destroyed as per this policy, such that all information is disposed properly, per <COMPANY
NAME> guidelines. The Disposal and destruction are done after the approval of disposal
manager. The employees should take care and ensure the evidence is not destroyed that is
being used by the company.

4.2 Disposal & Destruction of Media

External or Internal Media, and information in the computers, servers et cetera form a part
of Information Asset, media (CD-ROMs, DVDs, Disk, USB drives) should be disposed of in a
method that ensures that there will be no loss of data and that the confidentiality and
security of that data shall not be compromised.

Document No: Sheet: 4 of 9

Revision No: Issue Date: xx-xxx-xx
 Disposal and Destruction Policy

The following steps must be adhered to:

a) Disposal & Destruction of Information Assets is the responsibility of each employee,

employees will have to identify media which should be shredded and use this policy
in its destruction.
b) External media should never be thrown in the trash, it should be
destructed/destroyed.
c) When no longer needed all forms of external media are to be sent to the Information
Security Department or appropriate personnel for proper disposal.
d) The media will be secured, and a log will be maintained, with authorized
personnel / Information Security team until appropriate destruction methods are
used.

4.3 Destruction of Equipment

Equipment Asset tags used for identifying equipment shall be removed before disposal and
destruction of equipment.

Equipment to be destructed and disposed will erase all data, establish factory setting.

4.4 Disposition of Excess Equipment

As the older computers and equipment are replaced with new systems, the older machines
are held in inventory for various uses:

a) Old machines are regularly utilized for spare parts.

b) Old machines are used on an emergency replacement basis.
c) Old machines are used for testing new software.
d) Old machines are used as backups for other production equipment.
e) Old machines are used when it is necessary to provide a second machine for
personnel who travel on a regular basis.

4.5 Sending a hard drive out for repair or for data recovery:
The vendor repairing or recovering data on the hard drive must have signed an appropriate
Business Associate Agreement with the Communication Disorders Clinic or Appalachian
State University, stating that they will take proper care of the data. Once data is recovered
or the hard drive is repaired the original hard drive must be returned to the owner so that
the owner can dispose of it per this Communication Disorders Clinic policy for proper
disposal of hard drives.

Document No: Sheet: 5 of 9

Revision No: Issue Date: xx-xxx-xx
 Disposal and Destruction Policy

4.6 Repairing a hard drive under warranty:

a) In the special situation where a hard drive under warranty has failed and the
manufacturer requires that the failed disk drive be returned, an appropriate
Business Associate Agreement between the manufacturer and the Communication
Disorders Clinic or Appalachian State University must be in place before the drive
can be shipped to the manufacturer.

b) If the manufacturer will not sign a Business Associate Agreement, then the old drive
must be properly destroyed, and the owner of the system must cover any costs
associated with purchasing a new drive.

4.7 Overwriting hard drives for sanitization:

a) Overwriting is an approved method for sanitization of hard disk storage media.
Overwriting of data means replacing previously stored data on a drive or disk with a
random pattern of meaningless information.
b) This effectively renders the data unrecoverable, but the process must be correctly
understood and carefully implemented. Overwriting consists of recording data onto
magnetic media by writing a pattern of fluxes or pole changes that represent binary
codes.
c) Sanitization is not complete until the three overwrite passes and a verification pass
are completed. A variety of software packages are available on the open market that
properly performs this function.

4.8 Clearing data:

a) Clearing data such as formatting or deleting information removes information from
storage media in a manner that renders it unreadable unless special utility software
or techniques are used to recover the cleared data.
b) The clearing process does not prevent data from being recovered by technical
means, it is not an acceptable method of sanitizing media intended for disposal
outside of the Communication Disorders Clinic.

4.9 Reuse and redistribution of IT Asset

Information Security Department shall undertake the necessary secure procedures to
ensure any, and all sensitive data is removed, before IT Asset is redistributed.

4.10 Certification and Audit

Successful deletion, disposal and destruction must be evidenced, and certification must be
obtained and always recorded.

Document No: Sheet: 6 of 9

Revision No: Issue Date: xx-xxx-xx
 Disposal and Destruction Policy

4.11 Record Asset Inventory

Details of disposal, Destruction and deletion must be recorded and updated within the
Information Security Inventory of asset database to ensure the <COMPANY NAME> has an
up-to-date record of active IT assets and destroyed IT assets.

4.12 Penalties
Any employee found to have violated this policy may be subject to disciplinary action, up to
and including termination.

5. Destruction Details

Date Record Id Description Department Destruction method

2/2/22 3ed34 IT Hardware related documents IT Hardware Paper Shredding

6. Information Deletion
General:

To lower the danger of unintentional disclosure, sensitive material shouldn't be maintained

longer than is necessary.

The following factors should be taken into account when removing data about systems,
applications, and services:

 choosing a deletion technique (such as electronic overwriting or cryptographic

erasure) while taking into account relevant laws and regulations and business
considerations.
 recording the results of deletion as evidence.
 requesting proof of information deletion from service providers before using their
services.
When third parties keep information on <Organization Name>'s behalf, <Organization
Name> should think about including clauses requiring information deletion to be carried
out both during and after the end of the third-party service.

Document No: Sheet: 7 of 9

Revision No: Issue Date: xx-xxx-xx
 Disposal and Destruction Policy

Deletion methods:

When no longer needed, sensitive information should be destroyed in line with

<Organization Name>'s topic-specific data retention policy and while taking into account
applicable laws and regulations.

 configuring systems to securely destroy the information when no longer required

(e.g., after a defined period subject to the topic-specific a subject access request, or a
policy on data retention);
 removing outdated copies, versions, and temporary files from all locations;
 Use approved, secure deletion software to permanently delete information to help
ensure information cannot be recovered by using specialist recovery or forensic
tools.
 using approved, certified providers of secure disposal services.
 Using disposal techniques suitable for the kind of storage media being disposed of
(such as degaussing magnetic storage devices like hard drives).

Where cloud When using cloud services, <Organization Name> should confirm that the
deletion option offered by the provider is appropriate, and if it is, <Organization Name>
should employ it or ask the provider to delete the information.

When applicable and available, these deletion procedures should be automated in

accordance with topic-specific policies. Logs can trace or confirm that these deletion
operations have taken place, depending on the sensitivity of the material that has been
erased.

Prior to equipment leaving <Organization Name>'s premises, sensitive information should

be protected by removing auxiliary storages (such as hard disc drives) and memory to
prevent the unintended disclosure of sensitive information when equipment is being
transported back to vendors.

Given that some devices (such as smartphones) can only be securely deleted by being
destroyed or by using functions built into them (such as "restore factory settings"),
<Organization Name> should select the best strategy based on the type of information that
this device handle.

The storage device should be physically destroyed, and its contents should be deleted at the
same time using the control procedures indicated.

When determining the reason of a potential information leaking occurrence, an official

record of information deletion is helpful.

Document No: Sheet: 8 of 9

Revision No: Issue Date: xx-xxx-xx
 Disposal and Destruction Policy

7. Secure disposal or re-use of equipment

Before discarding or reusing equipment, it should be checked to make sure storage media is
enclosed.

Instead of utilizing the usual delete function, storage media containing confidential or
copyrighted information should be physically destroyed, or the information should be
physically destroyed, deleted, or overwritten using methods that make the original
information unrecoverable.

Detailed instructions on how to delete information from storage media and dispose of them
securely.

Before disposal, including reselling or donating to charity, labels, and markings identifying
the organization or showing the classification, owner, system, or network should be
removed.

When the lease expires or <Organization Name> vacates the property, it should take
security measures like access controls and surveillance equipment out of the equation.

This depends on things like:

a) The facility's lease obligation is to restore it to its initial state.

b) reducing the chance of leaving systems containing private data (such as user access
lists, video, or image files) for the incoming tenant.
c) Reusing the controls at the following facility.

Document No: Sheet: 9 of 9

Revision No: Issue Date: xx-xxx-xx