The following guidelines are recommendations based off Illinois State Law, where applicable, and standards from the National Institute of Standards and Technology (NIST) SP800-88, where State Law does not apply, to help departments at Eastern Illinois University (EIU) properly destroy and/or sanitize physical and digital media containing sensitive internal and confidential University Information. For more information on what constitutes internal and confidential University Information, please refer to the Information Security Guidelines for Information Classification.
Eastern Illinois University is required by the Illinois State Records Act (5 ILCS 160) to properly destroy hard copy documents such as paper based records after the required retention period. (Retention period varies based on the type of record. Questions about specific retention periods should be referred to the EIU Records Manager.) Proper destruction of hard copy documents must follow the guidelines set forth by the State Records Commission Rules (44 Ill Admin Code PART 4400.40) which states: “Approved methods of destruction for paper based records for which disclosure is prohibited by law or that identify a person include: burning; shredding, in which either a crosscut shredder cutting to a maximum width of ⅜ inches or an industrial sized strip cut shredder is used, if it is incorporated with a baler or the shredded paper is further destroyed; pulping using standard wet process pulpers; or pulverizing using a dry destruction process that may include the use of hammer mills, choppers, huggers or disintegrating equipment. “ Therefore, hard copy document containing sensitive internal or confidential information must be destroyed in one of the two following ways:
For more information on locking recycle bins, please contact EIU Records Management. The State Records Commission Rules also includes requirements pertaining to the how microfilm (4400.50), other films such as picture film, roll fill and sheet film (4400.60) and digital reproductions (4400.70). For assistance with the requirements of these types of hard copy media please the EIU Records Manager. More information on proper handling, storage and destruction of official Records is available on the Records Management Program website.
Eastern Illinois University is required by Illinois State Public Act 093-0306 Section 20 to properly sanitize all non-disposable magnetic disks prior to surplus. As required by Public Act 093-0306, all non-consumable magnetic disks such as desktop, laptop, server and USB drives must be properly sanitized according to the following guidelines: All disks and drives used to store data must be overwritten at least 3 times or physically destroyed. This sanitization must be certified in, in writing, with the following information:
Computer equipment sent through Eastern Illinois University’s internal surplus process will be sanitized by ITS prior to surplus. Computer equipment intended for reuse within Eastern Illinois University should be wiped according to the following guidelines prior to deployment to the new user: Prior to deployment to a new individual and/or department, computer equipment should undergo a one pass wipe to remove any data from the previous user. For assistant in properly sanitizing a computer intended for reuse within the university, please contact the Help Desk.
Following NIST SP800-88, the following guidelines must be followed for properly disposing of disposable media including CDs, DVDs and floppy disks: Disposable Media containing sensitive internal or confidential University information must be shredded prior to disposal to ensure the data are unreadable. ITS has a CD and DVD shredder available for use to help assist with the destruction of Disposable Media. If the Consumable Media contains records information, then the disposal certificate must be submitted to the EIU Records Manager and approved by the state prior to shredding. It is the responsibility of the department to complete this form and obtain state approval. A Destruction Certificate Form must be completed and submitted to the EIU Records Manager following destruction.
Following NIST SP800-88, the following guidelines must be followed to properly sanitize hand-held devices such as cell phones, smart phones and personal digital assistants (PDAs) that do not contain a magnetic disk: Manually delete all information on the hand-held device including, but not limited to, calls made, phone numbers, data, email messages, and text messages; Following manual deletion of data, perform a full manufacturer’s hard reset to restore the hand-held device to its factory default state.
Following NIST SP800-88, the following guidelines must be followed to properly sanitize networking devices such as routers, switches and hubs: Perform a full manufacturer’s reset to restore the networking device back to the factory default settings.
Following NIST SP800-88, the following guidelines must be followed to properly sanitize duplication equipment such as copy machines and fax machines: Perform a full manufacturer’s reset to reset the duplicating machine to its factory default settings.
Equipment not owned by the state must adhere to the same requirements as outlined within “Information Security guidelines for media sanitization and disposal policy” before being returned to the vendor.
Last Date Reviewed: 05/23/2023