Re: Quick Survey: How do you "dispose" of outbound hard drives??

[Anthony Maszeroski <maszeroskia3 () SCRANTON EDU>]

I think the specification allows for any ruminant mammalian digestion
process. So, if a llama isn't available, a wildebeest or antelope can do
in a pinch. Use of giraffes is encouraged for long input queues.
Ruminating training is mandatory to ensure that the proper number of
passes is achieved in the second phase of destruction.

On 9/29/2010 4:27 PM, SCHALIP, MICHAEL wrote:
> I like the "fed to llamas" part......I'm adding that to our existing sanitization policy - let them wrap their heads 
> around that one.  Can you imagine the look on the auditors face when he tries to "verify".....
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Perry, 
> Jeff
> Sent: Wednesday, September 29, 2010 2:20 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Quick Survey: How do you "dispose" of outbound hard drives??
>
> Good points all around (re: dod vs EDU).
>
> > Michael wrote: " higher ed typically doesn't play in the "blinding
> white flash" arena, so I'd recommend AGAINST trying to apply those rules in this environment."
>
> This is indeed why we stuck to degaussing as our "nuclear option" and didn't go with a degauss+physical shredder 
> policy (and the noise and cost and mess associated with it).  The method that each division/school must use on our 
> campus is stipulated in our data classification policy.
> We have a matrix that basically says "if the system is rated Category 1 and is moving to another Category 1 use 
> internally do XYZ. " If it's moving down (cat 1 -> 2) internally do 123"  "If it's leaving us entirely do ABC". 
>
> However the majority of the machine are actually moving out the door and we have only one method to deal with that 
> (due to the fact that it's a 0% probability that the person disposing of the system is going to a.) understand all 
> this compliance stuff and b.) know everything about said unit).  So we err on the side of 10k gauss pulse everything 
> not to be reused (as it fries the data and the drive) and wipe (using an approved
> method/tool) for those few that are going to be reused.
>
> Our ace in the hole is a contract we have that allows for third party pickup, monitored destruction, and sign-off 
> paperwork if we ever do run across something that actually legally needs to be pulsed, shredded, burned, dipped in 
> acid, and then fed to llamas.
>
> I too think the ATA thing is neat and may prove very useful in the near future, but until it's more common we're 
> opting for clarity so people don't have a huge decision tree to work through (and ultimately mess up occasionally 
> which defeats all the time you saved).  So thanks to those that are really spending the effort to look in to the 
> questions it brings up.
>
> Cheers,
>
> Jeff Perry, CISSP
> Director, Enterprise Infrastructure & Operations The University of Kansas
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Doty, 
> Timothy T.
> Sent: Wednesday, September 29, 2010 11:45 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Quick Survey: How do you "dispose" of outbound hard drives??
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv 
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
> > Sent: Wednesday, September 29, 2010 10:56 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Quick Survey: How do you "dispose" of outbound 
> > hard drives??
> >
> > On Wed, 29 Sep 2010 09:32:40 MDT, "SCHALIP, MICHAEL" said:
> >
> > > ng white flash" arena, so I'd recommend AGAINST trying to apply
> those
> > rules
> > >  in this environment.
> >
> > My point was that the vast majority of what higher ed considers 
> > sensitive data isn't (in the greater scheme of things) any more 
> > sensitive than the "Sensitive But Unclassified" category on the DoD 
> > side, so trying any harder than that isn't worth the effort.
>
> You are comparing DoD classification schemes with education and having different needs they will necessarily classify 
> things differently. I originally wrote a lot more, but the short of it is that what is sensitive and how depends on 
> who is asking who. The world of DoD is *far* different than education and it isn't necessarily a matter of greater vs 
> lesser, it is just very, very different. The relevance of an institution's data to national security is largely 
> irrelevant, what matters in the end is the financial risk and from there determining fiscally appropriate mitigations.
>
> It doesn't matter how DoD would rate it: different field, different concerns.
>
> When it comes to preventing data from being recovered from surplussed hardware I'm of the camp "single overwrite is 
> good enough". I find ATA secure erase interesting because it has potentially less overhead than DBAN (it appears 
> faster allowing higher throughput of drives if that is a
> concern) and better reliability (vs procedures in place to ensure that interrupted wipes are actually completed). It 
> has caveats, however, that prevent it from being a drop-in replacement for DBAN.
>
> Ultimately, each institution has to determine for themselves what their mitigation strategy will be. Some may have 
> external requirements preventing physical destruction, others may find that easier and cheaper due to particulars. 
> Some may wipe with one tool, others with another. As long as they understand the capabilities and risks of their 
> method, all is well.
> (I
> may still have a hard drive from a certain department of transportation that had been "wiped" by installing DOS on 
> the drive and then sold -- the "wipe"
> had no real impact on the NTFS file system.) 
>
> Tim Doty
>
> --
> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

-- 
- Anthony Maszeroski, CCNA, CISSP
-----------------------------------
Information Security Manager
The University of Scranton
email : maszeroskia3 () scranton edu
phone : 570-941-4226
-----------------------------------