{"id":69502,"date":"2026-02-02T14:47:26","date_gmt":"2026-02-02T22:47:26","guid":{"rendered":"https:\/\/policies.wsu.edu\/prf\/?page_id=69502"},"modified":"2026-02-20T16:25:46","modified_gmt":"2026-02-21T00:25:46","slug":"bppm-87-72","status":"publish","type":"page","link":"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-72\/","title":{"rendered":"87.72 System Decommission and Data Destruction"},"content":{"rendered":"\n<h1 class=\"wp-block-heading wsu-font-size--xxmedium\">University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual)<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>System Decommission and Data Destruction<\/strong><\/h2>\n\n\n<div class=\"wsu-row wsu-row--single\" >\r\n    \n<div class=\"wsu-column\"  style=\"\">\r\n\t\n\n<p><strong>UPPM 87.72<\/strong><\/p>\n<p><strong>For more information contact:<\/strong><br \/>\u00a0 \u00a0<a href=\"https:\/\/its.wsu.edu\/how-can-we-help-contact-its\/\">Information Technology Services<\/a><\/p>\n<hr \/>\n<div id=\"toc_container\">\n<h3>Contents<\/h3>\n<ul class=\"toc_list\">\n<li><a href=\"#One_0\">1.0 \u00a0\u00a0 Overview and Purpose<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#One_1\">1.1 \u00a0\u00a0 Information Assurance Policies Generally<\/a><\/li>\n<li><a href=\"#One_2\">1.2 \u00a0\u00a0 Specific Policy Overview and Purpose<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Two_0\">2.0 \u00a0\u00a0 Applicability<\/a><\/li>\n<li><a href=\"#Three_0\">3.0 \u00a0\u00a0 Roles and Responsibilities<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Three_1\">3.1 \u00a0\u00a0 Chief Information Officer<\/a><\/li>\n<li><a href=\"#Three_2\">3.2 \u00a0\u00a0 Information Owners<\/a><\/li>\n<li><a href=\"#Three_3\">3.3 \u00a0\u00a0 Office of Information Security and Assurance (OISA)<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Four_0\">4.0 \u00a0\u00a0 Requirements<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Four_1\">4.1 \u00a0\u00a0 General Requirements <\/a><\/li>\n<li><a href=\"#Four_2\">4.2 \u00a0\u00a0 Moderate- and High-Impact System Requirements<\/a><\/li>\n<li><a href=\"#Four_3\">4.3 \u00a0\u00a0 High-Impact System Requirements <\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Five_0\">5.0 \u00a0\u00a0 Training<\/a><\/li>\n<\/ul>\n<\/div>\n<h3 id=\"One_0\">1.0\u00a0\u00a0\u00a0\u00a0 Overview and Purpose<\/h3>\n<h4 id=\"One_1\">1.1\u00a0\u00a0\u00a0\u00a0\u00a0 Information Assurance Policies Generally<\/h4>\n<p>The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:<\/p>\n<ul>\n<li>Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;<\/li>\n<li>Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and<\/li>\n<li>Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.<\/li>\n<\/ul>\n<p>The policies in this chapter comply with Federal Information Processing Standards (<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/fips\/nist.fips.199.pdf\">FIPS 199<\/a>), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability. To determine the potential consequence of a loss event, the Federal Information Processing Standards:<\/p>\n<ul>\n<li>Define WSU Information Owners\u2019 impact categorization rating (Low, Moderate, or High);<\/li>\n<li>Dictate which security controls are mandatory based upon the categorization level;<\/li>\n<li>Define the strength, frequency, and formalization of those controls; and<\/li>\n<li>Influence audit burden and continuous monitoring rigor.<\/li>\n<\/ul>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-01\/\">UPPM 87.01<\/a> for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.<\/p>\n<h4 id=\"One_2\">1.2\u00a0\u00a0\u00a0\u00a0\u00a0 Specific Policy Overview and Purpose<\/h4>\n<p>The protection of WSU information and IT systems requires that all retired systems, devices, and applications are securely decommissioned, and data is permanently removed or destroyed. By setting forth requirements for system decommission and data destruction, this policy minimizes the risk of unauthorized access, data breaches, and potential institutional liability.<\/p>\n<h3 id=\"Two_0\">2.0\u00a0\u00a0\u00a0 Applicability<\/h3>\n<p>This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.<\/p>\n<p>Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-23\/\">UPPM 87.23<\/a>.<\/p>\n<h3 id=\"Three_0\">3.0\u00a0\u00a0\u00a0 Roles and Responsibilities<\/h3>\n<h4 id=\"Three_1\">3.1\u00a0\u00a0\u00a0\u00a0\u00a0 Chief Information Officer<\/h4>\n<p>The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.<\/p>\n<h4 id=\"Three_2\">3.2\u00a0\u00a0\u00a0\u00a0 Information System Owners<\/h4>\n<p>WSU Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy&#8217;s implementation.\u00a0<\/p>\n<h4 id=\"Three_3\">3.3\u00a0\u00a0\u00a0\u00a0 Office of Information Security and Assurance (OISA)<\/h4>\n<p>WSU\u2019s Office of Information Security and Assurance (OISA) shall maintain the <a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/system-decommission-and-data-destruction-standard.pdf\">standard (PDF)<\/a> associated with this policy and provide guidance for the associated procedures for the implementation of this policy (<a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/system-decommission-and-data-destruction-procedure.pdf\">see examples (PDF)<\/a>).<\/p>\n<p><strong>Note:<\/strong> While all units are required to adhere to the standard established by OISA (<a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/53\/r5\/upd1\/final\">NIST SP 800-53<\/a>), procedural examples for implementation are optional.<\/p>\n<h3 id=\"Four_0\">4.0\u00a0\u00a0 Requirements<\/h3>\n<h4 id=\"Four_1\">4.1\u00a0\u00a0\u00a0\u00a0 General Requirements<\/h4>\n<p>Information System Owners, or their delegates, must:<\/p>\n<ul>\n<li>Remove all computing devices from WSU networks when they are no longer in use, in accordance with UPPM <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-10\/\">87.10<\/a> and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-30\/\">87.30<\/a>;<\/li>\n<li>Designate equipment coordinators or business asset tracking specialists to track and manage assets for which they are responsible, in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-20-50\/\">UPPM 20.50<\/a>;<\/li>\n<li>When technically and operationally feasible, sanitize WSU information systems prior to system disposal. Sanitization mechanism strength is to be commensurate with the highest level of data classification stored on the system being disposed (see UPPM <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-90-01\/\">90.01<\/a> and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-20-76\/\">20.76<\/a> for details);<\/li>\n<li>Take appropriate measures to verify and document that system sanitization actions have occurred when sanitizing WSU information systems. Due care must be taken to ensure that information is not recoverable using available forensic tools when a computer and\/or its storage media are scheduled for surplus sales or another reuse either within or outside of WSU;<\/li>\n<li>Regularly test sanitization equipment and procedures to ensure continued effectiveness; and<\/li>\n<li>Educate all users of WSU information systems within their area of responsibility on proper methods of disposing those WSU information systems and the destruction of WSU Institutional Information in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a>.<\/li>\n<\/ul>\n<h4 id=\"Four_2\">4.2\u00a0\u00a0\u00a0\u00a0 Moderate- and High-Impact Systems<\/h4>\n<p>In addition to the above, the following requirement applies to all moderate- and high-impact systems.<\/p>\n<p>WSU Information System Owners, or their delegates, must update their system inventory when moderate- and high-impact WSU information systems are removed from the environment.\u00a0\u00a0<\/p>\n<h4 id=\"Four_3\">4.3\u00a0\u00a0\u00a0\u00a0 High-Impact Systems<\/h4>\n<p>In addition to the above, the following requirement applies to all high-impact systems.<\/p>\n<p>WSU must sanitize portable storage devices to ensure they are free of malicious code before they are connected to any high-impact WSU information system.\u00a0\u00a0<\/p>\n<h3 id=\"Five_0\">5.0\u00a0\u00a0\u00a0 Training<\/h3>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a> for training requirements related to UPPM Chapter 87.<\/p>\n<p>In addition to the requirements in <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a>, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner\u2019s authority.<\/p>\n<p style=\"font-size: .8rem\">_______________________<br \/><strong>Revisions:<\/strong> Feb. 2026 (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/bppm-manual-revisions\/bppm-revision-651\/\">651<\/a> &#8211; NEW).<\/p>\n\n<\/div>\r\n\n<\/div>","protected":false},"excerpt":{"rendered":"<p>University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual) System Decommission and Data Destruction<\/p>\n","protected":false},"author":49281,"featured_media":0,"parent":50633,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"wsuwp_university_location":[],"wsuwp_university_org":[],"_links":{"self":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/69502"}],"collection":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/users\/49281"}],"replies":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/comments?post=69502"}],"version-history":[{"count":7,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/69502\/revisions"}],"predecessor-version":[{"id":69996,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/69502\/revisions\/69996"}],"up":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/50633"}],"wp:attachment":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/media?parent=69502"}],"wp:term":[{"taxonomy":"wsuwp_university_location","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_location?post=69502"},{"taxonomy":"wsuwp_university_org","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_org?post=69502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}