Security Compliance, Electronic Data, Disk, SSD, or Other Storage Device Disposal

Data, Disk, SSD, Media, and Storage Device Disposal FAQ

Q: What's the university policy regarding disposal or surplus of electronic storage media and/or storage devices?

A: For storage media disposal requirements, see University IT Security Standard IT15-Storage Media Security, at https://go.illinois.edu/secstd-IT15

Q: What actions must I take before releasing or disposing of storage devices or storage media?

Data Classification	Storage device or media	Action	Notes
High-risk data (Health information/PHI, payment card, SSN, DL#, banking, export control, compartmentalized, etc.)	ANY*	Physical destruction	Includes crushing and degaussing
Sensitive data (FERPA, etc.)	ANY*	Physical destruction	Includes crushing, shredding, and degaussing
Sensitive data (FERPA, etc.)	SSD or flash	Overwrite or scrub	Overwrite must be verified
Sensitive data (FERPA, etc.)	HARD DRIVE (magnetic, spinning platter-type)	Overwrite or scrub	Overwrite must be verified
Sensitive data (FERPA, etc.)	Magnetic tape	Overwrite or scrub
Sensitive data (FERPA, etc.)	Any university-managed device with strong, full-disk encryption for its entire service life	Verify device is completely encrypted, then delete all encryption keys such that they are completely irrecoverable and officially document.	File-level encryption does not meet this requirement, nor does a device that was unencrypted for any length of time. Actions must be complete, and auditable
Internal data	ANY*	Physical destruction	Includes crushing, shredding, and degaussing
Internal data	ANY*	Overwrite or scrub
Public data	ANY*	Overwrite or scrub

* "ANY" includes optical media (e.g., CDs or DVDs), magnetic media (e.g., tapes or diskettes), disk drives (e.g., external, portable, or disk drives removed from information systems), and flash memory storage devices (e.g., SSDs or USB flash drives). Documents include paper documents, paper output, or photographic media

Q. What do you mean by "scrub" or "overwrite"?

A. Scrubbing or overwriting means writing over each bit on spinning-platter-type hard drives with random ones and zeroes.

Q. Can I just RMA or throw away a digital storage device?

A. No. The device must be scrubbed, overwritten, or destroyed before it is released or discarded, per the data classification requirements.

Q. What if the device to be RMA'd or discarded is broken?

A. All broken storage devices with University data are required to be degaussed or destroyed before they are released.

Q. How might I scrub or overwrite a digital storage device?

A. (For non-IT Professionals) Find an IT Professional proficient on the platform (Windows/Mac/Linux/etc) in question and request that they perform the overwrite.

A. (For IT Professionals) Below are a few ideas on how to meet the requirement, both for SSD and for HDD.

Spinning-platter HDD	DBAN, Liveboot CLI++	++ use a Linux live-boot distro and "dd" to overwrite* the target HDD
SSD	"ATA Secure erase"	See https://www.makeuseof.com/tag/securely-erase-ssd-without-destroying/

*Note 1: dd can be very effective (and destructive!) when used in this way. The precise syntax of the dd command may vary - see your local info or man pages to ensure correct syntax before executing

Q. What needs to be done before sending a machine to surplus?

A. See the OBFS page on how to Dispose of Unneeded Equipment .

Keywords:	security, cybersecurity, privacy, data, information, scrub, overwrite, wipe, dban, dispose, disposal, destroy, recycle, surplus, RMA, floppy, disk, storage, hard, drive, hdd, thumb, flash, memory, CDROM, CD-ROM, DVD, optical, SSD, dod, FAQ Suggest keywords	Doc ID:	69861
Owner:	Security S.	Group:	University of Illinois Technology Services
Created:	2017-01-10 12:26 CDT	Updated:	2019-08-22 08:41 CDT
Sites:	University of Illinois Technology Services
Feedback:	1 0 Comment Suggest a new document