Procedure P4-004L: Media Handling

1. Management of Media
2. Disposal of Media

Purpose and Scope‌

1. Purpose.

   The purpose of this Media Handling Procedure is to outline the management, handling, and disposal processes for Media.

2. Scope.

   The scope of this procedure is all University administrative units, including colleges, divisions, departments, and centers, and all members of the University community, including students, staff, faculty, other permanent or temporary employees, contractors, research collaborators, vendors, and third-party agents.

   This procedure supports Section L, titled Information System Media Handling, of the University of Utah Information Security Policy 4-004.

‌Definitions‌

The definitions provided in Policy 4-004 apply for this procedure. In addition, the terms below apply for the limited purpose of this procedure.

1. IT Resource Data Storage – Media on which an IT Resource’s Information Assets are stored (e.g., hard drives and solid-state drives), which also includes Information System Media.

2. Least Privilege – The principle of granting Users the minimum access and authorization needed to perform their job functions.

3. Media – Information System Media, IT Resource Data Storage, and Removable Media.

4. Removable Media – Physical media that is attached to or easily removed from an electronic device (e.g., IT Resource, Information System, Workstation, Mobile Device) on which Information Assets are stored for backup and sharing purposes (e.g., USB drives, thumb drives, external hard drives, DVDs, CDs).

‌Procedure‌

1. ‌Management of Media‌

   1. IT managers shall:

      1. be knowledgeable of the applicable federal, state, and local laws, regulations, and statutes, as well as contractual obligations for the Media for which they are responsible;

      2. ensure Media is acquired from trusted sources;

      3. have a plan to ensure the confidentiality, integrity, and availability of Media;

      4. at least annually, audit and review Media handling practices, plans, and procedures to identify and rectify any potential issues; and

      5. consult the data owner before removing Information System Media from University premises.

   2. IT Technicians shall:

      1. implement all applicable federal, state, and local laws, regulations, and statutes, as well as contractual obligations for the Media they manage;

      2. store Media and documentation in accordance with all applicable federal, state, and local laws, regulations, and statutes, as well as contractual obligations;

      3. maintain an up-to-date inventory of all Information System Media containing Sensitive and Restricted Data;

      4. label Information System Media and Removable Media with unique identifiers and data classification as required by any applicable federal, state, and local laws, regulations, and statutes, as well as contractual obligations;

      5. maintain a detailed record of all Media containing Sensitive or Restricted Data removed from the University’s premises;

         i. Records shall include, at a minimum, the User who has possession of the Media, when it was removed from the University’s premises, current Encryption state, and what data is stored therein.

      6. implement strict access Control measures based on Least Privilege to ensure only authorized personnel have access to Information System Media;

      7. encrypt all Media containing University data wherever technically feasible;

      8. maintain Encryption keys in a secure location;

      9. disable autorun, autoplay, and auto-execute functionality for Removable Media wherever technically feasible;

      10. document usage of Information System Media; and

      11. configure antivirus and anti-malware to scan Media at time of use.

2. ‌Disposal of Media‌

   1. IT managers shall:

      1. retain Media disposal documentation in accordance with all applicable federal, state, and local laws, regulations, and statutes, as well as contractual obligations.

   2. IT Technicians shall:

      1. safely and securely dispose of Media, at the direction of the data owner, when such Media is no longer required by any applicable federal, state, and local laws, regulations, and statutes, or contractual obligations; and

      2. make unrecoverable the contents of Media containing Sensitive or Restricted Data prior to reuse or removal from the University’s premises in accordance with all applicable federal, state, and local laws, regulations, and statutes, as well as contractual obligations.

         ---

         Sections IV- VII are for user information about this procedure.

3. ‌Policies/ Rules, Procedures, Guidelines, Forms and other Related Resources‌

   1. Policies/ Rules.

      1. Policy 4-004: University Information Security Policy

   2. Procedures, Guidelines, and Forms. [ reserved ]

   3. Other Related Resources.

      1. NIST 800-88: Guidelines for Media Sanitization

4. ‌References‌

   ‌[reserved]

5. ‌Contacts‌

   The designated contact officials for this Regulation are

   1. Policy Owner(s): primary contact person for questions and advice): Chief Information Security Officer

   2. Policy Officer(s): Chief Information Officer

      See Rule 1-001 for information about the roles and authority of policy owners and policy officers.

6. ‌History‌

   Revision History.

   1. Current version. Revision 0.

      1. Approved by Chief Information Security Officer with effective date of November 6, 2024.

   2. Renumbering

      1. Not applicable