Security Compliance, Electronic Data, Disk, SSD, or Other Storage Device Disposal

Data, Disk, SSD, Media, and Storage Device Disposal FAQ

Q: What's the university policy regarding disposal or surplus of electronic storage media and/or storage devices?

A: For storage media disposal requirements, see University IT Security Standard IT15-Storage Media Security,  at https://go.illinois.edu/secstd-IT15


Q: What actions must I take before releasing or disposing of storage devices or storage media?

Data Classification Storage device or media
 Action
 Notes
 High-risk data (Health information/PHI, payment card, SSN, DL#, banking, export control, compartmentalized, etc.)
 ANY*
 Physical destruction
 Includes crushing and degaussing
 Sensitive data (FERPA, etc.) ANY*
 Physical destruction Includes crushing, shredding, and degaussing
 Sensitive data (FERPA, etc.)
 SSD or flash
 Overwrite or scrub
 Overwrite must be verified
 Sensitive data (FERPA, etc.)  HARD DRIVE (magnetic, spinning platter-type)
 Overwrite or scrub
 Overwrite must be verified
 Sensitive data (FERPA, etc.) Magnetic tape
 Overwrite or scrub
 
 Sensitive data (FERPA, etc.) Any university-managed device with strong, full-disk encryption for its entire service life
 Verify device is completely encrypted, then delete all encryption keys such that they are completely irrecoverable and officially document.
 File-level encryption does not meet this requirement, nor does a device that was unencrypted for any length of time.
 Actions must be complete, and auditable
 Internal data
 ANY* Physical destruction Includes crushing, shredding, and degaussing
 Internal data ANY*
 Overwrite or scrub
 
 Public data
 ANY* Overwrite or scrub 

* "ANY" includes optical media (e.g., CDs or DVDs), magnetic media (e.g., tapes or diskettes), disk drives (e.g., external, portable, or disk drives removed from information systems), and flash memory storage devices (e.g., SSDs or USB flash drives). Documents include paper documents, paper output, or photographic media


Q. What do you mean by "scrub" or "overwrite"?

A. Scrubbing or overwriting means writing over each bit on spinning-platter-type hard drives with random ones and zeroes.


Q. Can I just RMA or throw away a digital storage device?

A. No. The device must be scrubbed, overwritten, or destroyed before it is released or discarded, per the data classification requirements.


Q. What if the device to be RMA'd or discarded is broken?

A. All broken storage devices with University data are required to be degaussed or destroyed before they are released.


Q. How might I scrub or overwrite a digital storage device?

A. (For non-IT Professionals) Find an IT Professional proficient on the platform (Windows/Mac/Linux/etc) in question and request that they perform the overwrite.
A. (For IT Professionals) Below are a few ideas on how to meet the requirement, both for SSD and for HDD.

Spinning-platter HDD
DBAN, Liveboot CLI++ ++ use a Linux live-boot distro and "dd" to overwrite* the target HDD
SSD
"ATA Secure erase"
  See https://www.makeuseof.com/tag/securely-erase-ssd-without-destroying/
*Note 1: dd can be very effective (and destructive!) when used in this way. The precise syntax of the dd command may vary - see your local info or man pages to ensure correct syntax before executing


Q. What needs to be done before sending a machine to surplus?

A. See the OBFS page on how to Dispose of Unneeded Equipment .






Keywords:security, cybersecurity, privacy, data, information, scrub, overwrite, wipe, dban, dispose, disposal, destroy, recycle, surplus, RMA, floppy, disk, storage, hard, drive, hdd, thumb, flash, memory, CDROM, CD-ROM, DVD, optical, SSD, dod, FAQ   Doc ID:69861
Owner:Security S.Group:University of Illinois Technology Services
Created:2017-01-10 12:26 CDTUpdated:2019-08-22 08:41 CDT
Sites:University of Illinois Technology Services
Feedback:  1   0