University Assets: Surplusing and Accessing during Security Incidents

1
University Assets Surplusing and Accessing
during Security Incidents

• Gordon Oyer, University Accounting
• Michael Corn, Office of the CIO

2
Agenda

• Surplusing computers and digital media
• New University policy
• Surplus policy/procedure
• Digital media policy/procedure
• Access to electronic data
• Existing policy
• Best case scenarios
• More common scenarios

3
Timeline for New Policy Process

• Surplus Policy awaiting final approval
• Digital Media Policy approved awaiting
  placement in campus administrative manual
• Standard for Digital Media Disposal in effect
  immediately
• CITES documentation 1-2 weeks (mid June)

4
Surplus Policy

• Being finalized
• Anticipated release by June 30 with effective
  date July 1, 2008
• Influenced by change in State approach to meeting
  Data Security Act data elimination
  requirementscontracted vendor

5
Surplus Policy Requirements

• Functioning machines to State vendor via property
  redistribution warehouse
• Revised tag required to be affixed verifying
  compliance with UI data elimination policy
• NOTE Recently released audit standards require
  significantly increased scrutiny of compliance
  with policies data elimination and disposal
  practices will receive much closer testing by
  external auditors

6
Revised Tag

• Unit/Department
• ___Data Overwritten
• ___Inoperable Device
• ___Degaussed per Federal Requirement
• ___Inoperable Device Replaced
• Performed by
• Date

7
Digital Media Policy

• All data on magnetic media must be rendered
  unreadable before being transferred between
  individuals or units within the University, to
  third-parties for equipment trade-in or warranty
  work, or before being transferred to University
  Surplus for recycling. Procedural specifics for
  this policy are detailed in the Standard for the
  Disposal of Digital Media.

8
Scrubbing Standard
9
Access to Electronic Data

• Appropriate Use Policy 6 Formal process rights
  granted to individuals
• Protects individuals from arbitrary invasion of
  privacy
• Requires authorization from CIO
• Requests must come from unit head and superior
• Individuals receive notification of access

10
Best Case Scenario

• Individual is leaving unit (retiring, quitting,
  changing unit)
• Have them separate work from personal before
  leaving unit
• If not possible, ask them to sign a consent form
• Security Office can do this work if individual or
  unit requests it

11
Typical Scenario

• Individual is leaving unit under sub-optimal
  conditions (being fired, civil issue with
  management, unavailable due to medical or other
  emergency)
• Unit requests access via 6 procedure
• Template exists
• Process can be expedited in emergency

12
Items to Note

• Personnel situations
• We require involvement by AHR or SHR
• Not the place to cut corners
• Even expedited can take some time (esp. if we
  have to parse through materials

13
Unfortunate Scenario - Death of Employee

• Privacy rights dont continue
• Critical to consider Intellectual Property issues
  
• Office of Technology Management
• Sensitivity to family
• Use Security Office as a resource / disinterested
  third party

14
Forms

• All available on CITES Wiki
• Consent Form
• Request for Access Letter
• Data Elimination Tag Template (also available on
  future scrubbing web site)

15
Questions / Contacts

• Gordon Oyer goyer_at_uillinois.edu
• Michael Corn mcorn_at_uiuc.edu
• security_at_uiuc.edu