Re: Equipment Disposition - Disk Drive "Sanitization"

["David L. Wasley" <david.wasley () UCOP EDU>]

"Work well" is perhaps to much to ask but we do have guidelines.  We
are also in the process of tightening up how this is handled.

I think it is essential that someone in each department who knows the
IT environment be designated as the equipment disposal point of
contact.  If it isn't in your job description, it's too easy to
"forget".  We have people termed "PC Coordinators" in each department
who are supposed to do this as part of their jobs.

PC Coordinators are trained how to overwrite the contents of hard
drives - not just "delete" the files.  We recommend software packages
for this purpose.  We have not yet tackled similar requirements for
PDAs, cellphones, etc.

We are looking into an arrangement with a salvage operation that will
then take the equipment and do the same thing.  This doubles your
chance of it being done right.  If the hard drive is inoperable,
we'll probably require that it be crushed.  It also might be a good
idea to require post mortem records indicating how the drive/device
was disposed of, including confirmation that it was scrubbed if not
destroyed, however it probably also would require spot checks or some
form of audit to really know if disposal was being done properly.

I do know that some equipment slips thru the cracks but I think staff
education is a better approach to correcting this than sanctions.

       David Wasley

-----
At 11:46 AM -0500 on 2/25/04, Sadler, Connie wrote:

> Can others share what they are doing with regard to ensuring that
> information is properly overwritten before a computer is transferred or
> disposed of?
>
> We have an agreement with a third party to destroy all drives that are
> disposed of - and we also have a form that is filled out when systems
> are transferred or "gifted". But we need to tighten this up. I'd like
> each department to take responsibility for this and sign off on the form
> in such a way that they are accountable for information that gets past
> the process. But there is pushback on this (surprise!).
>
> Do others have processes that work well for them?
>
> Thanks much...
>
> Connie J. Sadler, CM, CISSP, CISM
> Director, IT Security, Brown University
> Box 1885, Providence, RI 02912
> Connie_Sadler () Brown edu
> PGP Fingerprint: 452A C178 1450 9CE1 3AC1  CC12 956F 2C55 DB94 A9C7
> Office: 401-863-7266
>
> **********
> Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.