Information Security Management and Compliance
Records Management Standard
- References: CSU Records Access Manual
- CSU Subpoena Handbook
- CSU Executive Order 1031, Systemwide Records/Information Retention Schedules
- Government Code Section 6250-6270
- Fair and Accurate Credit Transactions Act of 2003 (FACTA); FCRA, 15 U.S.C. 1681 et seq.
- California Civil Code §1798.81
- Issue Date: September 2008
- Revision Date: April 2009
- Expiration Date: N/A
RECORDS DISPOSITION
Disposition of records shall be conducted in a timely manner following the retention period and based on their information classification level.
Failure to adhere to disposition schedules can lead to the unnecessary expenditure of resources to store, maintain, search for, and produce records. Records not disposed of at the end of their retention period remain subject to records requests under statute or legal proceedings.
Determining Disposition Date
Retention periods are counted form the date of creation of the record, unless other instructions (e.g., “3 years from termination”) are noted in the Records Retention Schedule. Disposition would normally occur following the end of the month of year that marks the end of the retention period; thus, disposition of a record for which the retention period ends on July 10 would take place as soon after July 31 as practicable.
Cautions Regarding Disposition
There may be conditions under which records destruction must be deferred even if they have reached or exceeded the end of their retention period. These conditions include:
- External requirements under state and federal laws or regulation or when grants or contracts retention periods override University retention periods;
- Records that have been requested pursuant to statute or legal proceedings (e.g., California Public Records Act, Subpoena);
- Records that have not been requested but are deemed likely to be requested pursuant to statute or legal proceedings including potential litigation must be retained following notification by the campus Risk Manager.
- Records related to on ongoing investigation must not be disposed of without prior consultation with campus counsel.
Disposition Based on Classification Level
To protect the confidentiality of information and the related privacy rights of CSULB students, faculty, staff, donors, patrons, vendors, and others, Level 1 and Level 2 information contained in all software and/or computer files, storage media devices and hard copy must be sanitized prior to disposal. The sanitization process ensures that recovery of information is not possible. Several methods can be used to sanitize media; however, the two major types of sanitization are clearing and destroying.
- Clearing
-
Clearing information is a level of media sanitization that protects the confidentiality of information against a robust keyboard attack. Simple deletion of items does not suffice for clearing. Clearing must not allow information to be retrieved by data, disk, or file recovery utilities and must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. Overwriting is an acceptable method for clearing media. The security goal of overwriting is to replace written data with random data.
There are several overwriting software products to overwrite storage space on media. CSULB Network Services provides software tools and instructions to securely clean the data from ATA based hard drives and other storage media. Overwriting cannot be used for media that are damaged or not rewritable. In such cases, media should be destroyed.
- Destroying
- Destruction of media is the ultimate form of sanitization. After media are destroyed, they cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods. Hard copy destruction can be accomplished using a variety of methods, with cross-cut shredding being the most common practice. Straight cut shredding is not a compliant destruction method. Departments may shred media on site or contact Procurement and Support Services for a listing of approved document destruction vendors.
Recommendations for sanitizing media types are found in Attachment C – Media Sanitization Methods.