...

Purpose

This document specifies the procedures for bringing people and equipment in and out of a secured facility for processing or storing sensitive data, such as ePHI (electronic Personal Health Information) and CUI (Controlled Unclassified Information), covered by regulations like HIPAA.

...

1. A request with the reason for removal is sent to the CISO who approves or rejects.

2. The requestor will place the media in the provided secure container.

3. Container shall be locked with a key kept in the secure area.

4. Security team will transport secure container for wiping / destruction.

5. The security team will unlock with second key kept at wiping / destruction station.

6. Each device will be wiped or destroyed per Security Office policy

7. The person wiping the media will electronically record the details of the wiped media and when it was sanitized. Then they will return the secure container to the secure area.

   1. If the drive has no ability to be wiped because it has had a hardware failure, it will be marked for destruction and tested on the wiping machine at least once.
   2. The drive will need to be inventoried into a failed drive inventory, and sent to surplus for destruction.
8. All media that comes from Nightingale or ACHE will be labeled with stickers requesting destruction by campus surplus.

9. The media is given to the building manager who closes the workflow and sends the drive on.  If necessary, they have the original requestor fill out the RMA paperwork.

...