I. SCOPE
This policy applies to all George Mason University faculty, staff and contractors within all academic, administrative and operational departments, offices and units.
II. POLICY STATEMENT
Because of their application to University-wide operations, and to individual employment contracts, in conducting university business, faculty and staff store university data on electronic devices, such as computer hard drives, servers and network devices. Therefore, the transfer, disposal or replacement of electronic equipment with data storage capabilities can create information security risks for the university, potential violations of software licensing agreements and the unauthorized disclosure of university data. (See University Policy 1114.)
Accordingly, all software and data files shall be removed from electronic devices and electronic media prior to transfer, removal or disposal, including but not limited to the following categories of equipment: (1) designated as surplus; (2) returned to a leasing company; (3) donated to eligible organizations; and (4) transferred to another employee. However, where the equipment will be transferred to an employee that will be replacing the device owner, any files needed for the continuity of business processes can be retained and transferred to the new employee. When an electronic device will be sent outside the university for repair, all data or software files shall first be removed or encrypted.
III. DEFINITIONS
Electronic Device: Any electronic equipment that has a storage device or persistent memory, including but not limited to computers, servers, personal data assistants, cell phones, smart phones, routers, switches, firewall hardware and certain models of printers and copiers.
Electronic Media:All media on which electronic data can be stored, including but not limited to hard drives, magnetic tapes, diskettes, CDs, DVDs, and USB storage devices.
IV. RESPONSIBILITIES
Deans, Directors, Vice Presidents and Departmental Managers: Leadership is responsible for ensuring that departments and offices follow the policy and procedures set forth herein.
Central Receiving: The manager shall: (1) secure electronic equipment until it is removed by a certified recycling company; (2) verify the recycling company’s procedures; and (3) maintain documentation that equipment has been disposed of according to contract terms.
Information Technology Services: (1) The Technology Support Services Desktop department shall, when requested, help users prepare equipment for transfer within the university and shall remove storage devices from irremediable equipment it receives before sending the equipment to Central Receiving for surplus; (2)The Information Security Officer, in consultation with the Vice President of Information Technology, will develop procedures to enforce this policy.
V. COMPLIANCE
If university data is mishandled in such a way that results in a data breach, the department at fault will pay all costs associated with the notification of a data breach, and any other related costs such as legal fees.
VI. EFFECTIVE DATE
This policy will become effective upon the date of approval by the Senior Vice President and Provost.
VII. FREQUENCY OF REVIEW
This policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of the University’s fiscal year, unless otherwise noted.
VIII. SIGNATURES
Approved:
__/S_____________________
Maurice W. Scherrens
Senior Vice President
_/S_______________________
Peter N. Stearns
Provost
Date approved: August 13, 2012
Date of most recent review: January 29, 2013
Revised February 16, 2017