GO-ITS 25.20 Disposal, Loss and Incident Reporting of Computerized Devices and Digital Storage Media

1. Introduction

Government of Ontario Information Technology Standards (GO-ITS) are the official publications on the IT standards adopted through the Office of the Corporate Chief Information Officer (OCCIO) and IT Executive Leadership Council (ITELC) for use across the government’s information and information technology (I&IT) infrastructure.

These publications support the responsibilities of the Treasury Board Secretariat for coordinating standardization of I&IT in the Government of Ontario. In particular, GO-IT Standards describe where the application of an IT standard is mandatory and specify any qualifications governing the implementation of the IT standards.

2. Summary

2.1 Standard name and description

This document, GO-ITS 25.20 Disposal, Loss and Incident Reporting of Computerized Devices and Digital Storage Media, sets out security requirements for the disposal of computerized devices and digital storage media, and requirements for reporting security incidents and breaches, including when computerized devices and digital storage media have been lost or stolen.

2.2 Background and rationale

This standard describes the processes, parameters, and technical specifications that must be followed when all types of computerized devices and digital storage media are no longer required for business use, including the technical requirements for procedures that must be used to adequately sanitize and/or destroy them.

This standard also provides the necessary steps regarding what to do and who to notify in the event of a lost or stolen computerized device or digital storage media, and what to do following a report of a security incident or security breach.

This document will be reviewed on an ongoing basis to take into account the evolution of technology, security features, and best practices.

2.3 Target audience

The intended audience for this document includes all Government of Ontario technology service providers and all application development and integration initiatives.

2.4 Scope

2.4.1 In scope

This document applies to the handling of all government-issued computerized devices and digital storage media used to process, store, transmit, and record data/information in the custody or under the control of the Government of Ontario.

The following are examples of the primary types of computerized devices and digital storage media included in this standard, whether they are leased or purchased by the Government of Ontario:

• desktop computers and all integrated storage
• laptop computers and all integrated storage
• all removable storage
• server storage and/or backup arrays
• magnetic storage media (for example, hard disk drives, tapes, cassettes, diskettes)
• semi-conductor storage media (for example, USB memory, flash memory cards, solid-state disk drives)
• optical storage media (for example, CDs, DVDs, Blu-Ray discs)
• mobile technology (for example, smartphones, tablets, mobile devices)
• multi-functional devices with scanner, printer, facsimile, and photocopy capabilities, as well as legacy devices with any of these capabilities

To ensure business information on a given system or computerized device is migrated and retained appropriately before the device is sanitized, disposed of, or destroyed, and to meet the obligations described in the Corporate Policy on Recordkeeping, Access and Privacy, system owners should work directly with their respective record management practitioner as well as consult with their designated officials responsible for privacy and freedom of information responsibilities. It is also important to understand the technology in use, and any associated caveats or constraints.

The information security concern regarding information disposal and media sanitization primarily resides not in the media but in the recorded information. In other words, and for clarity regarding the scope and intent of this standard, the concern regarding media disposal and sanitization is driven by the information placed intentionally or unintentionally on the media, and any related context or technical caveats that may increase the likelihood of, or vulnerability to, unauthorized access to that information.

2.4.2 Out of scope

Not applicable.

2.5 Applicability statements

2.5.1 Organization

All Ministries and I&IT Clusters are subject to Government of Ontario IT Standards.

All adjudicative and advisory agencies are subject to Government of Ontario IT Standards.

All other agencies that are using OPS information and information technology products or services are required to comply with Government of Ontario IT standards if they are subject to either the Governance and Management of Information Technology Directive OR Government of Ontario IT Standards by memorandum of understanding.

As new GO-IT Standards are approved, they are deemed mandatory on a go-forward basis (go-forward basis means at the next available project development or procurement opportunity).

When implementing or adopting any Government of Ontario IT standards or IT standards updates, Ministries, I&IT Clusters and applicable agencies must follow their organization’s pre-approved policies and practices for ensuring that adequate change control, change management, and risk mitigation mechanisms are in place and employed. For the purposes of this document, any reference to Ministries or the Government includes applicable agencies.

2.5.2 Other applicability

Ministries must ensure that service partners, who use or provide government I&IT resources, are made aware of and adhere to this standard. Reference to this document must be included in contracts and service level agreements where applicable.

2.5.3 Requirement levels

Within this document, certain wording conventions are followed. There are precise requirements and obligations associated with the following terms:

Must - This word, or the terms "required" or "shall", means that the statement is an absolute requirement.

Should - This word, or the adjective "recommended", means that there may exist valid reasons in particular circumstances to ignore the recommendation, but the full implications (for example, business functionality, security, cost) must be understood and carefully weighed before choosing a different course.

3. Technical specification

The following requirements apply to all I&IT assets and operations within the scope of the Governance and Management of Information Technology Directive.

3.1 Sanitization, security of media in transit, and secure chain of custody

Sanitization is a process through which data is irreversibly and reliably removed from functional storage media (that is, removed beyond mere “deletion” within a filesystem). The storage media is typically left in a re-usable condition, but the data that was previously stored on that media cannot be recovered or accessed. If not handled properly, inadvertent release of such media prior to sanitization (along with the other required processes described in this document) could lead to unauthorized disclosure of information and adverse impact. Sanitization alone is also not sufficient to manage all media and risks addressed by this standard. In some instances, such as in some use cases where semi-conductor storage is used in sensitive environments, sanitization will instead be a preparatory procedure performed in advance of media and/or device destruction.

Sanitization operations must:

• Be performed following a formalized intake process, where, at a minimum:
  • The program area relinquishing media for disposal assesses the media and provides a clear indication regarding the physical type/nature and condition/state of the media;
  • The program area relinquishing media for disposal assesses the media and business context, and provides a clear indication, should any provided media contain, or intake assessment determines is more likely than not to contain, any information considered to be High Sensitivity according to the Information Sensitivity Classification Policy (ISC);
  • The program area relinquishing media for disposal assesses the media and business context, and provides a clear indication, should any provided media have been installed within or connected to a computerized device that was, for any period of time, used for the purposes of directly accessing services or environments containing aggregate High Sensitivity information;
  • The program area relinquishing media for disposal provides written attestation(s) regarding the assessments and details described above; and
  • Sanitization is conducted with reference to the provided media type/nature, condition/state, program area attestations, and any additional threat/risk information.
• Be followed by a formalized verification process, where, at a minimum:
  • All received media is accounted for;
  • The media is examined to confirm successful sanitization of all sectors by means of a thorough inspection of the media, and should ideally be performed through use of a standalone tool intended for this purpose, and not features offered by the sanitization software/tools alone; and
  • Relevant logs, error messages, etc. are reviewed (for example, such as those generated by software over-write tools) to confirm that no unexpected hardware behaviour or errors occurred during sanitization that may reduce the intended degree of assurance or indicate a media hardware failure.

For the purposes of this document, and with reference to the above, the following should be considered to constitute “sanitization”:

• Over-write of the entirety of the storage media using software and a configuration approved by Cyber Security Division, per the requirements in section 3.2 of this document;
• Over-write of the entirety of the storage media using a secure erase command approved by Cyber Security Division for a specific use case, media, and product type, per the requirements in section 3.2 of this document; and
• Cryptographic “erase” or cryptographic “shredding” of the entirety of the storage media, per the requirements in section 3.2 of this document.

For clarity, factory reset/clear of mobile technology, while adequate for some use cases, is not generally considered to constitute “sanitization” for the purposes of this document. To increase the degree of assurance when using reset/clear functions for disposal of mobile technology, credentials/identifiers and cryptographic keys/certificates should be removed and/or revoked where relevant/applicable, per the applicable destruction requirements in section 3.2.6.

Ensuring a “secure chain of custody” requires that an unbroken trail of physical security and accountability for a computerized device and/or digital storage media must exist from the time it leaves a managed, secure government site, until the moment the data/information on the device or media is either sanitized and/or the device or media is destroyed (which will vary by device or media type, and per section 3.2.6 requirements).

As well, information can be vulnerable to unauthorized access, misuse, or corruption during physical transportation of media. As such, when devices or media being transported for sanitization, destruction, or disposal, must adhere to the requirements in this standard (particularly regarding the secure chain of custody), such devices or media must be stored securely, and protected from unauthorized access, misuse. or corruption. Readers should review GO-ITS 25.0 General Security Requirements, specifically section 3.7.2 Security of Media in Transit, in support of this requirement.

Indications of government ownership of computerized and devices (labels, tags, etc.) must be removed prior to any re-use or resale of assets.

3.2 Disposal of computerized devices and digital storage media

3.2.1 Disposal of functioning computerized devices and digital storage media

All functioning and computerized devices and digital storage media (for example, cassettes, tapes, and traditional, magnetic hard drives) must have the entirety of any integrated magnetic storage capacity over-written using software and/or a secure erase command configured and/or suited for the specific device(s) and use case that has been approved by the Government of Ontario Cyber Security Division. All such software, tools, and/or supported commands should be reviewed for evidence of independent validation and known vulnerabilities prior to approval for use. Simply reformatting or deleting recorded data is not an acceptable sanitization process for any type of storage media requiring disposal.

All functioning semi-conductor media (for example, solid-state drives, flash memory, USB sticks) must be sanitized (and destroyed, if applicable, per section 3.2.6) in accordance with this standard. Per ongoing consultation with the Canadian Centre for Cyber Security regarding media security, and due to known vulnerabilities, over-writing with third party software or cryptographic shredding, as sole safeguards, are not always considered an acceptable sanitization process for all semi-conductor media. Secure erase commands should also not be considered reliable in all cases for these devices. Additionally, if the semi-conductor storage capacity cannot be reliably removed from the device, and the device is not vendor serviceable at the user’s site to enable such removal, then the entire device must be sanitized and destroyed.

All functioning optical media (for example, CDs, DVDs, Blu-Ray discs) must be destroyed in accordance with this standard. Over-writing with third party software or cryptographic “erase” / cryptographic “shredding” is not typically used (nor considered acceptable) as a sanitization process for optical storage media, and re-use/resale value is negligible. Additionally, if inserted optical media cannot be removed from the device (for example, due to a hardware failure or physical damage), then the entire device must be destroyed.

3.2.2 Disposal of non-functioning computerized devices and digital storage media

Non-functioning computerized devices and/or digital storage media of all types cannot be over-written or otherwise sanitized (for example, a software over-write or secure erase command would fail on non-functional media), but must instead be crushed or otherwise reliably rendered inoperable at the user’s site, and then sent for more complete destruction.

Non-functioning semi-conductor storage media (for example, solid-state drives, flash memory, USB sticks) must not be subject to attempts at over-writing, invoking secure erase commands, or other sanitization methods once a non-functioning state has been confirmed. Non-functioning optical media (for example, CDs, DVDs, Blu-Ray discs) must be destroyed.

If on-site crushing is not possible (for example, by reason of geographical distance, or lack of adequate on-site support) then the non-functioning device or media must be transferred by secure courier, under a secure chain of custody, to the destruction service provider’s site, where its destruction must be witnessed, or an appropriate attestation process identified, completed, and certified. The certification provided must constitute evidence (in physical or electronic form) and provide chronological documentation pertaining to the sequence of custody, control, transfer, analysis, and final, attested disposition of the non-functioning devices and/or media.

Additionally, if semi-conductor storage capacity cannot be reliably removed from a non-functioning device, and the device is not vendor serviceable at the user’s site to return it to a functioning state, then the entire device must be sent to the destruction service provider’s site by secure courier, under a secure chain of custody, where its destruction must be witnessed, or an appropriate attestation process identified, completed, and certified.

3.2.3 Disposal of information within cloud services

Some forms of information processing and storage will rely on Cloud Services. Program areas must take responsible steps, per GO-ITS 25.21 (Cloud First Principles and Security Requirements) sections 2.4.6, 2.4.8, 2.4.13, and 2.4.46, for ensuring support for migration/removal/disposal of government information from and recordkeeping within Cloud Services. It is however expected that supporting technology and support for storage media within Cloud Services will conduct or effect sanitization, disposal, etc. – or otherwise reduce the risks that these techniques are intended to mitigate – through technical and procedural means integral to those Cloud Services features and platforms. Cloud Service Provider terms of service, service level agreements, and security claims should make reference to such technical and procedural means. Adoption and use of Cloud Services per GO-ITS 25.21 – in particular, deployment in accordance with the permitted models in Fig. 1 (“Deployment classification matrix”) of that document, and/or completion of case-specific assessments, when required – must be observed to help in minimizing risks associated with the processing and storage of sensitive information within such environments.

3.2.4 Certification

A certification of completion must be made available to the program manager for disposal activities. The certificate is required to confirm that the sanitization and/or the destruction process was successfully completed.

Certificates must be retained by the program manager for audit purposes. Such certificates must be retained in accordance with the applicable records schedule for the relevant business area.

The completed certificate must constitute evidence (in physical or electronic form) and chronological documentation pertaining to the sequence of intake, custody, control, transfer, analysis, confirmed sanitization validation process, and final, attested disposition of all media and/or non-functioning devices, and contain the following details at a minimum:

• The person’s name who requested the sanitization and/or destruction, the relevant program area, and confirmation of formalized intake process completion;
• The person’s name who witnessed the sanitization and/or destruction;
• A description of the device (for example, USB stick, hard drive, tablet, smartphone, etc.);
• Any unique identifier (for example, serial number);
• The date the process was performed;
• The results of the formalized validation process;
• The method and specifications of destruction methods, if used (for example, pulverization, cross-cut shredding, size of particles, etc.);
• The name and address of the service provider who performed the process; and
• The signature of the service provider representative.

3.2.5 Magnetic storage media over-writing process

Software must be used which can reliably sanitize stored data/information by over-writing all sectors, blocks, tracks, file allocation tables, and any unused disk space (including unallocated space).

To ensure the effectiveness of this method and to overcome a documented track-edge phenomenon, the over-write process must apply three separate over-writing passes to ensure that the data cannot be reconstituted.¹ In accordance with Royal Canadian Mounted Police (RCMP) over-write criteria, the first pass must write all “1”s or all “0”s to the media, the second pass must write the opposite of the first pass, and the third pass must apply a pattern that the technician operating the software can read to verify the results. The technician must verify, as part of the verification process, that there are no sectors that were not over-written, and that the procedure was successful.

With approval from Cyber Security Division, and per section 3.1 of this document, some types of secure erase commands and use cases may provide for acceptable over-writing of data/information for some storage media. The verification process that confirms successful over-write of all sectors and checks for unexpected hardware behaviour or errors is still required. Please consult with Cyber Security Division regarding support for this option for magnetic media.

3.2.6 Physical destruction process

All computerized devices or digital storage media requiring destruction must be reliably destroyed using a process that provides strong assurance that recorded information on the device or media is rendered totally and permanently inaccessible.

All service providers must be currently registered with Supply Ontario and be a qualified vendor on an official Government of Ontario vendor of record list.

The following devices and/or media must be sent directly to the destruction service provider via secure courier, and under a secure chain of custody, to undergo a reliable physical destruction process that is witnessed and includes an attestation procedure established per the requirements in this document:

• Any computerized devices when storage capacity cannot be reliably removed or otherwise sanitized, and any non-functioning device.
• Any semi-conductor storage media (for example, USB memory, flash memory cards, solid-state disk drives), subsequent to sanitization, and per ongoing consultation regarding known solid-state disk drive concerns and media security with the Canadian Centre for Cyber Security, where any of the following apply:
  • The re-use/resale value of the media is negligible (for example, inexpensive USB removable media, legacy flash memory formats, etc.);
  • Any information contained/recorded is, or intake assessment determines is more likely than not to be, considered High Sensitivity information according to the Information Sensitivity Classification Policy;
  • The media is from a computerized device that was, for any period of time, used for the purposes of directly accessing services or environments containing aggregate High Sensitivity information;
  • It cannot be confirmed with certainty that the entirety of the media was encrypted by means of an enterprise-managed service, and in accordance with GO-ITS 25.12, prior to any production use of the media;
  • The location, status, disposition, and/or custody of the key material used to encrypt the entirety of the media is unknown, uncertain, or unsafe;
  • Intake assessment of the media prior to sanitization has detected any errors/conditions that suggest areas of the media may not be accessible by the device controller; and/or
  • The validation process for an approved sanitization method has indicated any errors/conditions that suggest risk regarding adequate completion of sanitization.
• Non-functional magnetic storage media (for example, hard disk drives, tapes, cassettes, diskettes) where any of the following apply:
  • Any information contained/recorded is, or intake assessment determines is more likely than not to be, considered High Sensitivity information according to the Information Sensitivity Classification Policy;
  • The media is from a computerized device that was, for any period of time, used for the purposes of directly accessing services or environments containing aggregate High Sensitivity information;
  • It cannot be confirmed with certainty that the entirety of the media was encrypted by means of an enterprise-managed service, and in accordance with GO-ITS 25.12, prior to any production use of the media; and/or
  • The location, status, disposition, and/or custody of the key material used to encrypt the entirety of the media is unknown, uncertain, or unsafe.
• Any mobile technology, subsequent to factory reset/clear, where any of the following apply:
  • The re-use/resale value of the mobile device is negligible;
  • The mobile device was, for any period of time, used within the context of operations at the High Sensitivity level, or in a high-risk environment;
  • Factory reset/clear performance alone, for the identified class of mobile device, is not endorsed by Cyber Security Division as being adequately reliable; and/or
  • The mobile device is non-functioning.

3.2.7 Encryption and cryptographic erase / cryptographic shredding

The Government of Ontario should endeavour to initialize all storage media with full-volume encryption that complies with GO-ITS 25.12 specifications prior to deployment and any storage of data/information, as this will reduce the overhead associated with sanitization, and increase assurance.

With the exceptions described in section 3.2.6, storage media that has been encrypted prior to any use, by an enterprise-managed OPS service that provides GO-ITS 25.12 compliant cryptographic support, does not need to be over-written or destroyed. Only the managed keys used to encrypt and decrypt the encrypted media must be over-written. This process is typically referred to as cryptographic “erase” or cryptographic “shredding”. This process, however, must not be used where any of the following apply:

• Ongoing management/control over the related key material has been lost;
• The location, status, disposition, and/or custody of the key material becomes unknown, uncertain, or unsafe; and/or
• Relevant threat/risk information regarding the implementation comes to light.

In high-risk situations, “enhanced” cryptographic erase / cryptographic shredding should be considered; this process is accomplished by securely and strongly re-keying and re-encrypting the media immediately prior to performing procedures to invoke cryptographic erase or cryptographic shredding. This method provides additional protections – any undetected loss of the original/previous keys is mitigated, and access to or knowledge of the new keys is carefully controlled. It must be noted, however, that portions of the media inaccessible to the device controller cannot be successfully re-keyed and re-encrypted in this manner. Intake assessment regarding media state/condition can help identify such issues/limitations in advance.

If the totality of the device or media has not been encrypted in this manner (for example, encryption applied later in service life, or at a filesystem level) prior to any production use, or if there are any concerns that the key material may reside in an unsafe manner on the device or media (as opposed to being maintained on a separate token, storage device, or computing device component such as a Trusted Platform Module), or should the location of key material be uncertain/unknown, then the device or media must instead be over-written at a minimum (that is, subject to the destruction requirements in section 3.2.6 of this document, and caveats regarding media state/condition) to reduce the risk of unauthorized disclosure.

3.2.8 User support

Processes and procedures must be developed and administered within Infrastructure Technology Services (ITS) that comply with the requirements of this document, and support all program areas and information users in their responsibility to submit intake process details and attestation(s), securely dispose of media and assets, and/or to report security incidents or security breaches involving computerized devices and digital storage media.

The procedures must be administered by a first point of contact (FPOC) within ITS. The FPOCs must be positioned to provide all or part of the necessary services required by this standard and must be sufficiently knowledgeable that they can point users to other service providers or program areas who can offer further direction or guidance if additional services, assistance or information are required.

3.2.9 Lost or stolen computerised devices or digital storage media

Although the ISC Policy and Guidelines require that encryption at rest be implemented when sensitive information is stored on devices or media, a security and/or privacy breach may still occur if those rules are not followed and storage media or a device is lost or stolen.

The OPS Service Desk must log the incident and advise the user to report any suspected privacy breach in accordance with the Guide to Managing Privacy and Privacy Breaches. This involves notifying the Program Manager of the area affected by the breach, their ministry FOI Coordinator and the Delegated Decision Maker responsible for the area involved in the privacy breach (notify the Program Area Director if there is no Delegated Decision Maker). The Service Desk should also provide users with instructions about how to order a replacement computerized device or digital storage media, if required.

If an approved means exists to remotely delete all government information stored on a missing device (for example, a mobile device managed via an enterprise service), that process must be performed immediately, unless an official, authorized investigation has resulted in a request for an alternate direction.

3.2.10 Security incident, lost, or stolen device

Users must report a suspected or known security incident, security breach, or a lost or stolen device by immediately contacting Service Desk.

3.2.11 Security incident reporting

Procedures must be in place within ITS to log and process security incidents reported to them by users. The procedures must document all details about the incident and be escalated to the Cyber Security Operations Centre (CSOC) within Cyber Security Division at CSOC@Ontario.ca or 416-327-2100.

3.3 Roles and responsibilities

Responsibilities and procedures for the management of and operations associated with this standard to ensure secure sanitization and destruction of media and computerized devices must be established by Infrastructure Services (ITS) and OPS Supply Assets Management (SAM). This includes the development of appropriate operating instructions and incident response procedures.

The following are the roles and responsibilities of the four major groups primarily responsible for developing, implementing, utilizing, and supporting the internal processes and procedures required to ensure compliance with this standard:

3.3.1 Program Managers

A Program Manager is the ministry employee accountable for the successful operation of the ministry program that creates or collects information held in the custody or under the control of the Government of Ontario.

Program Managers are responsible for:

• Ensuring information and records contained within the device and/or storage media has/have been managed in compliance with the privacy and recordkeeping requirements outlined in the Corporate Policy on Recordkeeping, Access, and Privacy (that is, Program Managers are understood to be Business Owners in this context);
• Ensuring that all computerized devices and/or digital storage media have been sanitized and/or destroyed in accordance with the applicable requirements of this document before they are de-provisioned;
• Ensuring that adequate physical security for storage and a secure chain of custody exists to protect all computerized devices and/or storage media before such devices/media are sent for sanitization and/or destruction;
• Undertaking and completing a formalized intake process that is thorough and complies with the requirements of this document, including any required assessments, and provision of attestation(s) to inform sanitization and/or destruction;
• Obtaining and retaining a copy of all required sanitization and/or destruction certificates;
• Ensuring that staff read and follow any guidelines issued to support this standard; and
• Ensuring that users are aware of how to report lost/stolen devices and/or security incidents.

3.3.2 Infrastructure Technology Services (ITS)

Infrastructure Technology Services (ITS) manages and delivers information and information technology services to the Ontario Public Service, including the OPS IT Service Desk and the Desktop Services program areas.

Infrastructure Technology Services (ITS) is responsible for:

• Establishing and maintaining the procedures and services necessary to help users who need to dispose of, or report security incidents involving, computerized devices and/or digital storage media;
• Ensuring that the Information Sensitivity Classification Policy (ISC) sensitivity level and type of information involved in a loss or theft of computerized devices or digital storage devices is captured as part of the documented security incident report;
• Ensuring that all vendors of record, including those responsible for securely sanitizing all computerized devices and/or digital storage media or providing destruction services, comply with the technical requirements of this standard;
• Ensuring that all intake process details, assessment results, and attestations have been reviewed prior to undertaking sanitization;
• Undertaking and completing a validation process that is thorough and provides assurance that the intended type and degree of sanitization has been successfully completed for all computerized devices and/or media;
• Creating, and ensuring that program managers have access to, all required sanitization and/or destruction certificates of completion;
• Assisting the program manager in their responsibility to use secure couriers and ensure a secure chain of custody for computerized devices and digital storage media for sanitization and destruction; and
• Ensuring the OPS IT Service Desk functions as first point of contact for security incident report and device and media disposal/sanitization/destruction requests.

3.3.3 OPS Surplus Asset Management

MPBSD is responsible, under the OPS Procurement Directive, for secure disposal of surplus moveable assets owned by the Government of Ontario. This has been managed via the OPS Surplus Assets Management Group (SAM).

These assets include but are not limited to multi-functional devices not purchased under the current vendor of record, legacy servers that were purchased outside of the ITS process, and hard drives from multi-functional devices which have been leased under the current vendor of record, but which are non-functioning and have been removed by the vendor for retention and disposal by the program manager.

MPBSD/SAM (or a successor OPS surplus asset management owner), is responsible for:

• Managing the destruction of surplus computerized devices and digital storage media per the OPS Procurement Directive.
• Ensuring that all business partners and vendors of record involved in the destruction of computerized assets and digital storage media bearing government information in the custody and/or under the control of the Government of Ontario comply with the technical requirements of this standard.
• Ensuring that all required certificates confirming the completion of a sanitization and/or destruction process are accurate and provided to program managers.
• Assisting the program manager in their responsibility to ensure a secure chain of custody for computerized devices and digital storage media prior to sanitization and/or destruction.
• Ensuring that all forms related to the disposal or destruction of computerized devices and/or digital storage media include mandatory fields which will confirm the following:
  • The highest information sensitivity classification level (per the Information Sensitivity Classification Policy) of any information known to be stored/recorded on the device or media;
  • Whether or not a computerized device was, for any period of time, used for the purposes of directly accessing services or environments containing aggregate High Sensitivity information;
  • Whether or not the totality of the device or media is encrypted (that is, full volume encryption) in accordance with GO-ITS 25.12;
  • Whether or not the device or media was encrypted prior to any production use; and
  • The physical type/nature and functional condition/state of the media.

3.2.4 Cyber Security Division

The Cyber Security Division (CSD) of the Ministry of Public and Business Service Delivery ensures the needs of a secure environment for digital government.

CSD is responsible for:

• maintaining this document and its requirements;
• approving all cryptographic specifications and methods for use within the government for safeguarding of information stored on computerized devices and digital storage media by means of encryption;
• providing endorsement of security features/methods, such as specific overwrite software and secure erase implementations;
• assisting ITS with the investigation and resolution of security incidents; and
• assisting users to implement security measures and/or strengthen existing security.

4. Related standards and impacted infrastructure

4.1 Impacts to existing standards

GO-IT standards and how they are impacted by the GO-ITS 25.21 standard. GO-ITS 25.0 and GO-ITS 25.12 reference and compliance are being impacted.

4.2. Impacts to existing infrastructure

GO-IT standards and how they are impacted by the GO-ITS 25.21 standard. GO-ITS 25.0 and GO-ITS 25.12 reference and compliance are being impacted.

5. Compliance requirements

The intention of the OCCIO is to advertise and promote this standard as being a mandatory component throughout Government. In order to manage the effectiveness and implementation of this standard, Ministries, I&IT Clusters and applicable agencies are expected to adopt and monitor compliance.

This standard complies with the Government of Ontario’s requirements and legislative obligations to maintain the confidentiality and integrity of data/information by restricting access to personal and sensitive information to prevent the creation and subsequent distribution of unauthorized copies and/or manipulated versions.

The following governance documents provide the direction to comply with this standard:

• Governance and Management Information and Data Asset Directive
• Governance and Management of Information Technology Directive
• Corporate Policy on Information Sensitivity Classification 
• Information Sensitivity Classification Guidelines
• Corporate Policy on Cyber Risk and Cyber Risk Management
• Corporate Policy on Recordkeeping, Access and Privacy

These documents provide additional context for compliance:

• Acceptable Use of Information Technology (IT) Resources Policy
• GO-ITS Security standards

In addition, this standard is issued in compliance with the Ontario Public Service Procurement Directive (2023), specifically, “Ministries must remove all confidential, personal, and sensitive data from IT equipment prior to disposing of the equipment”.

Compliance with this standard is mandatory.

6. Contact information

If you have questions or require further information about this document or the GO-ITS 25 series, please contact the following Cyber Security Division staff:

Contact 1
Name/Title: Alex Fanourgiakis, Senior Manager
Organization/Ministry: Ministry of Public and Business Service Delivery
Division: Cyber Security Division
Branch: Cyber Security Strategy, Risk Management and Architecture Branch
Section/Unit: Security Policy and Standards Unit
Office phone: (647) 982-5216
Email: Alex.Fanourgiakis@ontario.ca

Contact 2
Name/Title: Tim Dafoe, Senior Security Policy Advisor
Organization/Ministry: Ministry of Public and Business Service Delivery
Division: Cyber Security Division
Branch: Cyber Security Strategy, Risk Management and Architecture Branch
Section/Unit: Security Policy and Standards Unit
Office phone: (416) 327-1260
Email: Tim.Dafoe@ontario.ca

7. Roles and responsibilities

Accountable role (standard owner) definition
The individual or committee ultimately accountable for the effectiveness of a standard and for its full life-cycle, including development, reviews, revisions, updates, evaluations, and rescindment. Where a committee owns the standard, the committee Chair is accountable for the standard. There must be exactly one accountable role identified.

Accountable role
Alex Fanourgiakis
Title: Senior Manager
Ministry/I&IT Cluster: MPBSD
Division: Cyber Security Division

Responsible role definition
The organization(s) responsible for the development of this standard. There may be more than one responsible organization identified if it is a partnership/joint effort. (Note: the responsible organization(s) provides the resource(s) to develop the standard).

Responsible organization(s)
Ministry/I&IT Cluster: MPBSD
Division: Cyber Security Division

Support role definition
The support role is the resource(s) to whom the responsibility for maintaining this standard has been assigned. Inquiries, feedback, and suggestions should be sent to this resource.

Support role (editor)
Ministry/I&IT Cluster: MPBSD
Division: Cyber Security Division
Branch: Cyber Security Strategy, Risk Management and Architecture
Section: Security Policy and Standards Unit
Job Title: Senior Security Policy Advisor
          Name: Tim Dafoe
          Phone: (416) 327-1260
          Email: Tim.Dafoe@ontario.ca

8. Consultations

Organization consulted

Other consultations

9. Document history

10. Glossary

In this document, the following words, terms or expressions mean as follows:

“Cloud Services” means a service that meets the description of Cloud Services contained in GO-ITS 25.21 Cloud First Principles and Security Requirements.

“Control” means not in the physical possession of data, yet with a legal and/or contractual right to deal with it.

“Compromise” means to expose, jeopardize or otherwise make vulnerable to danger.

“Custody” means in the physical possession of the data or information (excluding unsolicited or accidental possession).

“Data” means any recorded information stored on government issued computerized devices or digital storage media. In all cases, the word “data” also means “information”.

“Destruction” means to render computerized devices or digital storage media unusable by crushing, pulverizing or shredding for the purposes of making the data contained on the device or media permanently inaccessible.

“Information” means recorded information in any form, in any medium, and at all stages of its life cycle including information created, recorded, transmitted or stored in digital form or in other intangible forms by electronic, magnetic, optical or any other means, but does not include a mechanism or system for creating, sending, receiving, storing or otherwise processing information.

“Integrity” means the condition of, or requirement for, information that has not been modified or deleted without proper authorization.

“Ministry’ means a ministry of the Government of Ontario and includes all IT clusters and applicable agencies.

“Personal information” means recorded information about an identifiable individual as per the Freedom of Information and Protection of Privacy Act

“Program manager” means the program director, their equivalent or delegate, who is ultimately accountable for the successful operation of a program including the confidentiality, integrity, and availability of the recorded information created and/or collected by that program area.

“Safeguard” means a protective and precautionary security measure intended to prevent a threat agent from causing harm and injury.

“Security breach” means any act that penetrates the security put in place in order to safeguard data/information.

“Secure chain of custody” means the unbroken trail of physical security and accountability of a computerized device and/or digital storage media from the time it leaves a secure government site until the moment the data/information on the device or media is either sanitized or the device or media is destroyed.

“Security incident” any activity that could minimize the security of government data/information or IT systems or be a prelude to a security breach.

“Semi-conductor” means an electronic component of a computerized or multi-functional device that exploits the electronic properties of semi-conductor materials.

“Sensitive information” means information that does not contain any “personal information” as it is defined within the Freedom of Information and Protection of Privacy Act, but must, nonetheless, be secured in accordance with its sensitivity classification level (based on its ability to cause harm and injury if disclosed without authorization).

“User” means anyone authorized to access recorded information in the custody or under the control of the Government of Ontario.

“Vendor of record” means a vendor offering specific goods or services to OPS clients for a defined time period on terms and conditions including pricing, as set out in the governing agreement between the vendor and Her Majesty.

11. Appendices

11.1 Normative references

• Governance and Management of Information of Information Technology Directive

• Ontario Public Service Procurement Directive
• Freedom of Information and Protection of Privacy Act, R.S.O 1990
• Personal Health Information Protection Act (2004)
• Archives and Recordkeeping Act, S.O. 2006
• Corporate Policy on Cyber Security and Cyber Risk Management
• Corporate Policy on Information Sensitivity Classification
• Acceptable Use of Information Technology (IT) Resources Policy
• GO-ITS 25.0 General Security Requirements
• GO-ITS 25.12 Security Requirements for the Use of Cryptography
• GO-ITS 25.21 Cloud First Principles and Security Requirements
• IPA Digital Records Destruction Guidelines
• Guidelines for the Protection of Information When Contracting for Services
• Taking the Right Steps – A Guide to Managing Privacy and Privacy Breach
• Guide to Privacy Impact Assessment Process and Tools for the Ontario Public Service

Note: A normative reference specifies a supporting document or GO-IT Standard (in the case of the Government of Ontario's I&IT infrastructure, often another OPS I&IT authorized publication) that must be read to fully understand or implement the subject matter of the main GO-IT Standard. Such authoritative or de facto references may be external and may, or may not be, owned/controlled by the GO-IT Standard owner.