Computer systems store data on a wide variety of storage media (e.g., hard drives, USB flash drives, floppy disks, CD-ROM's, tapes, memory). It is imperative that this data be securely removed from the media once the data and/or device is no longer required in order to prevent unauthorized disclosure of the data. This is particularly true if the device contains sensitive data.
This document will discuss the risks associated with and the processes used to securely remove data from storage media and it will also explain why a simple delete of the data files does NOT suffice.
Before a department may relinquish computing equipment to another entity, and such equipment is, or contains a storage device, all data must be removed from the storage device(s). Minimally, data removal shall be achieved by using a product or products that have erase or wiping capabilities that meet or exceed the latest National Institute of Standards and Technology (NIST) standard. The actual method or process for removing institutional data from storage devices over and above that of meeting the NIST standard for removal of data shall be at the discretion of the individual campus. Some campuses may require more stringent regulations with regard to the removal of institutional data before property may be relinquished.
There are a number of reasons why the data maintained on computer systems and devices would need to be securely removed. Perhaps a computer system is being replaced with a more powerful device and the old system is being transferred to another department or sold at auction. Maybe the backup data stored on a CD-ROM has reached the end of its useful life and needs to be expunged. Perhaps a magnetic tape has been used the maximum number of times that it can be to reliably preserve data. Maybe a hard drive has become damaged and is inoperative.
In each of the aforementioned cases, the University has legal and ethical obligations to ensure that any institutional data is securely removed to minimize the risk of possible disclosure. For additional information on data administration and guidelines, see the following resources provided by the IT Policy Office:
There are a number of methods by which a file can be deleted from a computer's hard drive; by issuing an rm or del command from the command line, by highlighting a file in Nautilus or Windows Explorer and pressing the Delete key, or by emptying the Recycle Bin or the Trash folder. However, these methods only remove the pointers to the actual files -- they do NOT remove the data. The data remains on the hard drive as unallocated space. In fact, even if the unallocated space were subsequently used by new files, there are sophisticated methods that can be used to obtain data previously stored in those locations by looking at disk remanence.
Another common misconception is that using system utilities (e.g., fdisk) and re-formatting the hard drive will securely delete all data on the hard drive. Like rm and del, these utilities modify file system attributes but do not remove the data.
CD-ROM's, since they are read-only, introduce a different challenge in that there is no way to programmatically and securely delete the contents of the CD. Inoperable hard drives are also troublesome in that they can not be connected to a system and accessed through software.
We've discussed earlier that one cannot rely on deletion alone and that there are certain devices that present special issues. So, what is available to help us securely delete and/or destroy the data?
Disk wiping is a term used to describe a programmatic process that writes a series of 1's and 0's over the disk in an effort to securely remove the data. DBAN is an example of a software tool that has this capability. CyberCide, DBAN, Declasfy, East-Tec's DisposeSecure, East-Tec's Eraser, Heidi's Eraser, PDA Defense, SuperScrubber and Symantec Ghost's gdisk32 can be used as well. Depending on the speed or the performance characteristics of the computer you use to run this software, disk wiping might be time-consuming.
Note: Registered Local Support Providers (LSP's) can find Ghost in the "Software for LSPs" section of IUware on-line.
Also see: How can I securely wipe disk drives using DBAN?
If you have a Macintosh computer running Mac OS X, you have several built-in options for securely removing data:
Degaussing is a process by which the storage media is subjected to a powerful magnetic field to remove the data on the media.
Warning: Degaussing can make the media inoperable. Therefore, it is advisable that you do not use this method if the media needs to be reused and/or has resale value.
For media that has contained highly sensitive data or for media that the cannot be wiped (e.g., inoperable/damaged hard drives, DVD's) or degaussed (e.g., CD-ROM's), destruction of the media is the most effective means of ensuring that the data cannot be recovered. Destruction of the media can be accomplished via a number of methods; shredding disk platters, grinding the surfaces off of CD's, incinerating tapes, etc. The University has a Data Destruction Service available.
Please reference the campus specific processes listed below.
There are also companies (e.g., Technology Recycling) that will destroy old hardware for a fee.
Note: In order to be effective, the destruction has to be thorough. A simple whack with a hammer, for example, would leave the majority of the data on the media readable.
The effort put forth to ensure that data is securely removed from storage media is in direct relation to the sensitivity level of the data that is (or has been) stored on that device. If a device contains highly sensitive data, wiping, degaussing, and destruction could all be used. However, if the device contains only public data, disk wiping would be sufficient.
Let's discuss a few example scenarios to clarify.
1. I have an inoperable hard drive that contains sensitive data. What should I do?
Disk wiping is out of the question since the drive is inoperable. In this case, degaussing is the best alternative. If the hard drive contained highly sensitive data, the disk platters should be destroyed as well.
2. I have a computer that is being replaced by a newer model and I would like to transfer this machine to another user in my department. The system has been used to store FERPA protected student records. What should I do?
Disk wiping is the best alternative. Degaussing might make the hard drives inoperable which would render the machine unusable.
3. I have a computer that is being replaced by a newer model and I would like to transfer this machine to another department on campus. The system was bought new and used as a public access terminal. It has never maintained sensitive data, but it does have application installed on it that we licensed from a software vendor. What should I do?
Since data storage is not an issue, the simplest method would be to fdisk the system and reformat the hard drive. This process will ensure that any individually licensed software is unusable.
4. I have a computer that is being replaced by a newer model and I would like to transfer this machine to another department on campus. The system has been used to store sensitive data. What should I do?
Once again, disk wiping is probably the best alternative. However, if the data is of a highly sensitive nature (e.g., medical data, FERPA-protected student data), it would probably be best to degauss the hard drive and destroy the disk platters.
5. I have a computer that has reached the end of its life and I cannot find another department at the University that wants it. What should I do?
University Purchasing has a Treatment of Property document that describes the Bloomington campus' approach. The actual procedures for resale vary slightly between campuses. So, please check with your local campus' purchasing department for specific details. Applicable University-wide policies (i.e., they cover all campuses) are P - 14.0 and P - 14.1
6. I have a hard drive containing sensitive data that has a mechanical failure, and the computer manufacturer is requesting that the drive be returned in order to do a replacement under warranty. What methods must be undertaken to erase the data when the drive is physically inoperable?
You should first tell the manufacturer that the drive has sensitive data and that you do not want to send it back. If the manufacturer subsequently informs you that they will not send a replacement without the damaged drive, then you should request a formal letter from the manufacturer saying that they will ensure that all data is securely wiped from the hard drive. If the vendor continues to refuse, you should purchase a replacement drive and ensure that the damaged disk is destroyed.
7. I have a very large volume of media to be retired that contains sensitive data. What are my options?
University Purchasing can work with various professional shredder companies that can come on campus and shred the media. When finished, they will also provide you a certificate of destruction. Contact your campus Purchasing department for additional information.
8. I will no longer be using my BlackBerry and I would like to remove all of my personal data from it. How do I do that?
Please consult the How do I clear all personal data from my BlackBerry? KB document.