Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Quick Survey: How do you "dispose" of outbound hard drives??

From: Alan Amesbury <amesbury () OITSEC UMN EDU>
Date: Mon, 27 Sep 2010 12:15:44 -0500
SCHALIP, MICHAEL wrote:


We're looking for efficiencies (who isn't?) - What process do you
follow to securely dispose of old hard drives?  Do you sanitize
them?...what process/software do you use?  Do you allow them to be
sold/donated?  Do you grind/shred them?  Do you degauss them?
The standard requires that data be purged per NIST 800-88 ("Guidelines for Media Sanitation") before storage devices are transferred out of a unit, regardless of whether they're going to another unit within the university or elsewhere. We generally do not require a degree of sanitation that would resist a determined laboratory attack. While DBAN, et al, doesn't quite comply with a full data purge, a successfully completed single pass is generally considered sufficient. (It doesn't get spare blocks, but retrieving data from those would be fairly difficult.)
Degaussing modern hard drives generally renders them permanently unusable. If the sync track in modern drives gets damaged, the drives don't work. 


We are sanitizing them, but we're wondering if it would just be
cheaper to use a secure recycling service?  (I know DOE/DOD does some
of that....depending on the "level"....)

[snip]
That depends on whether the intent is to try to reuse or resell the drives. For drives that aren't expected to be reused in any way, e.g., small capacity drives or dead drives, we hand them off to a local vendor for shredding. After shredding, the vendor ships the materials out for reclamation and disposal. The vendor follows NAID standards, and tracks hard drives for destruction by serial number. We generally just hand them over and wait for confirmation (by serial number) that the drives were destroyed, but have the option of personally observing destruction provided we arrange for it in advance. (The shredder's large. It can take things like aluminum tables and bicycles. Shredding an old, full-height, 5.25" hard drive takes somewhat under a second.) 


--
Alan Amesbury
OIT Security and Assurance
University of Minnesota
Previous By Date Next
Previous By Thread Next

Current thread: