Re: Quick Survey: How do you "dispose" of outbound hard drives??

["SCHALIP, MICHAEL" <mschalip () CNM EDU>]

I like the "fed to llamas" part......I'm adding that to our existing sanitization policy - let them wrap their heads 
around that one.  Can you imagine the look on the auditors face when he tries to "verify".....



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Perry, 
Jeff
Sent: Wednesday, September 29, 2010 2:20 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Quick Survey: How do you "dispose" of outbound hard drives??

Good points all around (re: dod vs EDU).

> Michael wrote: " higher ed typically doesn't play in the "blinding
white flash" arena, so I'd recommend AGAINST trying to apply those rules in this environment."

This is indeed why we stuck to degaussing as our "nuclear option" and didn't go with a degauss+physical shredder policy 
(and the noise and cost and mess associated with it).  The method that each division/school must use on our campus is 
stipulated in our data classification policy.
We have a matrix that basically says "if the system is rated Category 1 and is moving to another Category 1 use 
internally do XYZ. " If it's moving down (cat 1 -> 2) internally do 123"  "If it's leaving us entirely do ABC". 

However the majority of the machine are actually moving out the door and we have only one method to deal with that (due 
to the fact that it's a 0% probability that the person disposing of the system is going to a.) understand all this 
compliance stuff and b.) know everything about said unit).  So we err on the side of 10k gauss pulse everything not to 
be reused (as it fries the data and the drive) and wipe (using an approved
method/tool) for those few that are going to be reused.

Our ace in the hole is a contract we have that allows for third party pickup, monitored destruction, and sign-off 
paperwork if we ever do run across something that actually legally needs to be pulsed, shredded, burned, dipped in 
acid, and then fed to llamas.

I too think the ATA thing is neat and may prove very useful in the near future, but until it's more common we're opting 
for clarity so people don't have a huge decision tree to work through (and ultimately mess up occasionally which 
defeats all the time you saved).  So thanks to those that are really spending the effort to look in to the questions it 
brings up.

Cheers,

Jeff Perry, CISSP
Director, Enterprise Infrastructure & Operations The University of Kansas

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Doty, 
Timothy T.
Sent: Wednesday, September 29, 2010 11:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Quick Survey: How do you "dispose" of outbound hard drives??

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
> Sent: Wednesday, September 29, 2010 10:56 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Quick Survey: How do you "dispose" of outbound 
> hard drives??
>
> On Wed, 29 Sep 2010 09:32:40 MDT, "SCHALIP, MICHAEL" said:
>
> > ng white flash" arena, so I'd recommend AGAINST trying to apply
those
> rules
> >  in this environment.
>
> My point was that the vast majority of what higher ed considers 
> sensitive data isn't (in the greater scheme of things) any more 
> sensitive than the "Sensitive But Unclassified" category on the DoD 
> side, so trying any harder than that isn't worth the effort.

You are comparing DoD classification schemes with education and having different needs they will necessarily classify 
things differently. I originally wrote a lot more, but the short of it is that what is sensitive and how depends on who 
is asking who. The world of DoD is *far* different than education and it isn't necessarily a matter of greater vs 
lesser, it is just very, very different. The relevance of an institution's data to national security is largely 
irrelevant, what matters in the end is the financial risk and from there determining fiscally appropriate mitigations.

It doesn't matter how DoD would rate it: different field, different concerns.

When it comes to preventing data from being recovered from surplussed hardware I'm of the camp "single overwrite is 
good enough". I find ATA secure erase interesting because it has potentially less overhead than DBAN (it appears faster 
allowing higher throughput of drives if that is a
concern) and better reliability (vs procedures in place to ensure that interrupted wipes are actually completed). It 
has caveats, however, that prevent it from being a drop-in replacement for DBAN.

Ultimately, each institution has to determine for themselves what their mitigation strategy will be. Some may have 
external requirements preventing physical destruction, others may find that easier and cheaper due to particulars. Some 
may wipe with one tool, others with another. As long as they understand the capabilities and risks of their method, all 
is well.
(I
may still have a hard drive from a certain department of transportation that had been "wiped" by installing DOS on the 
drive and then sold -- the "wipe"
had no real impact on the NTFS file system.) 

Tim Doty

--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.