Information and Infrastructure Assurance at Indiana University

Overview

Computing systems (including desktops and laptops, networking equipment, cellular phones, PDAs, and other mobile devices) store data on a wide variety of storage media (e.g., hard drives, USB flash drives, floppy disks, CD-ROM's, tapes, memory). This data must be securely removed from the media once the data and/or device is no longer required in order to prevent unauthorized disclosure of the data. This is particularly true if the device contains sensitive data.

This document will discuss the risks associated with and the processes used to securely remove data from storage media and it will also explain why a simple delete of the data files does NOT suffice.

IU Standard

Before a department may relinquish computing equipment to another entity, and such equipment is, or contains a storage device, all data must be removed from the storage device(s). In order to satisfy the IU Purchasing policy, departments must choose and correctly deploy a tool that performs at least a 1-pass wipe of the disk. UISO has verified that the tools that can satisfy that requirement, if used correctly, are DBAN and Mac OS X's Disk Utility.

If the storage device is inoperable or cannot be wiped using one of these tools, Purchasing provides a Data Destruction Service that must be used (see Destruction section below).

Why Remove Data?

There are a number of reasons why the data maintained on computer systems and devices would need to be securely removed. Perhaps a computer system is being replaced with a more powerful device and the old system is being transferred to another department or sold at auction. Maybe the backup data stored on a CD-ROM has reached the end of its useful life and needs to be expunged. Perhaps a magnetic tape has been used the maximum number of times that it can be to reliably preserve data. Maybe a hard drive has become damaged and is inoperative.

In each of the aforementioned cases, the University has legal and ethical obligations to ensure that any institutional data is securely removed to minimize the risk of possible disclosure. For additional information on data administration and guidelines, see the following resources provided by the Information Policy Office:

• Data Protection FAQ
• Best Practices for Handling Electronic Institutional and Personal Information
• Guidelines for Handling Electronic Institutional and Personal Information

Why Delete Is Not Enough

A file can be deleted from a computer's hard drive using a number of methods: by issuing an rm or del command from the command line, by highlighting a file in Nautilus or Windows Explorer and pressing the Delete key, or by emptying the Recycle Bin or the Trash folder. However, these methods only remove the pointers to the actual files -- they do NOT remove the data. The data remains on the hard drive as unallocated space.

Another common misconception is that using system utilities (e.g., fdisk) and re-formatting the hard drive will securely delete all data on the hard drive. Like rm and del, these utilities modify file system attributes but do not remove the data.

CD-ROM's, since they are read-only, introduce a different challenge in that there is no way to programmatically and securely delete the contents of the CD. Inoperable hard drives are also troublesome in that they can not be connected to a system and accessed through software.

Secure Delete Methods

We've discussed earlier that one cannot rely on deletion alone and that there are certain devices that present special issues. So, what is available to help us securely delete and/or destroy the data?

Wiping Utilities

Disk wiping is a term used to describe a programmatic process that writes a series of 1's and/or 0's over the disk in an effort to securely remove the data. DBAN is an example of a software tool that has this capability. CyberCide, DBAN, Declasfy, East-Tec's DisposeSecure, East-Tec's Eraser, Heidi's Eraser, PDA Defense, SuperScrubber and Symantec Ghost's gdisk32 can be used as well. Depending on the speed or the performance characteristics of the computer you use to run this software, disk wiping might be time-consuming.

Also see: How can I securely wipe disk drives?

Degaussing

Degaussing is a process that subjects storage media to a powerful magnetic field to remove the data on the media.

Warning: Degaussing can make the media inoperable. Therefore, it is advisable that you do not use this method if the media needs to be reused and/or has resale value.

Destruction

For media that has contained highly sensitive data or for media that the cannot be wiped (e.g., inoperable/damaged hard drives, DVD's) or degaussed (e.g., CD-ROM's), destruction of the media is the most effective means of ensuring that the data cannot be recovered. Destruction of the media can be accomplished via a number of methods: shredding disk platters, grinding the surfaces off of CD's, incinerating tapes, etc. In order to be effective, the destruction has to be thorough. A simple whack with a hammer, for example, would leave the majority of the data on the media readable.

The University has data destruction services available:

• IUB Surplus Data Destruction Service
• IUPUI Surplus Data Destruction Service
• Other IU Campuses - Use IUPUI Surplus Data Destruction Service

Related Policies and Documentation

• Disposal & Redistribution of University Property Policy (P - 14.0)
• Sale of Computer Equipment Policy (P - 14.1)
• NIST Special Publication 800-88 Guidelines for Media Sanitization
• CERT Cyber Security Tip ST05-011

Summary

The effort put forth to ensure that data is securely removed from storage media is in direct relation to the sensitivity level of the data that is (or has been) stored on that device. If a device contains highly sensitive data, wiping, degaussing, and destruction could all be used. However, if the device contains only public data, disk wiping would be sufficient.

Let's discuss a few example scenarios to clarify.

Scenarios

1. I have an inoperable hard drive that contains sensitive data. What should I do?

   Disk wiping is out of the question since the drive is inoperable. In this case, degaussing is the best alternative. If the hard drive contained highly sensitive data, the disk platters should be destroyed as well.

2. I have a computer that is being replaced by a newer model and I would like to transfer this machine to another user in my department. The system has been used to store FERPA protected student records. What should I do?

   Disk wiping is the best alternative. Degaussing might make the hard drives inoperable which would render the machine unusable.

3. I have a computer that is being replaced by a newer model and I would like to transfer this machine to another department on campus. The system was bought new and used as a public access terminal. It has never maintained sensitive data, but it does have application installed on it that we licensed from a software vendor. What should I do?

   Since data storage is not an issue, the simplest method would be to fdisk the system and reformat the hard drive. This process will ensure that any individually licensed software is unusable.

4. I have a computer that is being replaced by a newer model and I would like to transfer this machine to another department on campus. The system has been used to store sensitive data. What should I do?

   Once again, disk wiping is probably the best alternative. However, if the data is of a highly sensitive nature (e.g., medical data, FERPA-protected student data), it would probably be best to degauss the hard drive and destroy the disk platters.

5. I have a computer that has reached the end of its life and I cannot find another department at the University that wants it. What should I do?

   University Purchasing has two policies that discuss this:

   • Disposal and Redistribution of University Property
   • Sale of Computing Equipment
6. I have a hard drive containing sensitive data that has a mechanical failure, and the computer manufacturer is requesting that the drive be returned in order to do a replacement under warranty. What methods must be undertaken to erase the data when the drive is physically inoperable?

   You should first tell the manufacturer that the drive has sensitive data and that you do not want to send it back. If the manufacturer subsequently informs you that they will not send a replacement without the damaged drive, then you should request a formal letter from the manufacturer saying that they will ensure that all data is securely wiped from the hard drive. If the vendor continues to refuse, you should purchase a replacement drive and ensure that the damaged disk is destroyed.

7. I have a very large volume of media to be retired that contains sensitive data. What are my options?

   University Purchasing can work with various professional shredder companies that can come on campus and shred the media. When finished, they will also provide you a certificate of destruction. Contact your campus Purchasing department for additional information.

8. I will no longer be using my BlackBerry or iPhone. Must I remove all of my personal data from it. If so, how do I do that?

   Yes, all data must be removed from iPhones, BlackBerrys, and other mobile devices containing university information or email.
   
   Please consult the following Knowledge Base documents:

   • How do I clear all personal data from my BlackBerry?
   • With an iPhone or iPod touch, how can I secure my data?