Educause Security Discussion mailing list archives
Re: Equipment Disposition - Disk Drive "Sanitization"
From: "David L. Wasley" <david.wasley () UCOP EDU>
Date: Wed, 25 Feb 2004 09:29:58 -0800
"Work well" is perhaps to much to ask but we do have guidelines. We are also in the process of tightening up how this is handled. I think it is essential that someone in each department who knows the IT environment be designated as the equipment disposal point of contact. If it isn't in your job description, it's too easy to "forget". We have people termed "PC Coordinators" in each department who are supposed to do this as part of their jobs. PC Coordinators are trained how to overwrite the contents of hard drives - not just "delete" the files. We recommend software packages for this purpose. We have not yet tackled similar requirements for PDAs, cellphones, etc. We are looking into an arrangement with a salvage operation that will then take the equipment and do the same thing. This doubles your chance of it being done right. If the hard drive is inoperable, we'll probably require that it be crushed. It also might be a good idea to require post mortem records indicating how the drive/device was disposed of, including confirmation that it was scrubbed if not destroyed, however it probably also would require spot checks or some form of audit to really know if disposal was being done properly. I do know that some equipment slips thru the cracks but I think staff education is a better approach to correcting this than sanctions. David Wasley ----- At 11:46 AM -0500 on 2/25/04, Sadler, Connie wrote:
Can others share what they are doing with regard to ensuring that information is properly overwritten before a computer is transferred or disposed of? We have an agreement with a third party to destroy all drives that are disposed of - and we also have a form that is filled out when systems are transferred or "gifted". But we need to tighten this up. I'd like each department to take responsibility for this and sign off on the form in such a way that they are accountable for information that gets past the process. But there is pushback on this (surprise!). Do others have processes that work well for them? Thanks much... Connie J. Sadler, CM, CISSP, CISM Director, IT Security, Brown University Box 1885, Providence, RI 02912 Connie_Sadler () Brown edu PGP Fingerprint: 452A C178 1450 9CE1 3AC1 CC12 956F 2C55 DB94 A9C7 Office: 401-863-7266 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Equipment Disposition - Disk Drive "Sanitization" Sadler, Connie (Feb 25)
- <Possible follow-ups>
- Re: Equipment Disposition - Disk Drive "Sanitization" Michael_Maloney (Feb 25)
- Re: Equipment Disposition - Disk Drive "Sanitization" Niedens, Travis (Feb 25)
- Re: Equipment Disposition - Disk Drive "Sanitization" David L. Wasley (Feb 25)
- Re: Equipment Disposition - Disk Drive "Sanitization" Brian Eckman (Feb 25)
- Re: Equipment Disposition - Disk Drive "Sanitization" Theresa M Rowe (Feb 25)
- Re: Equipment Disposition - Disk Drive "Sanitization" Theresa M Rowe (Feb 25)