Security Compliance, Electronic Data, Disk, SSD, or Other Storage Device Disposal

Data, Disk, SSD, Media, and Storage Device Disposal FAQ

Q: What's the university policy regarding disposal or surplus of electronic storage media and/or storage devices?

A: For storage media disposal requirements, see University IT Security Standard IT15-Storage Media Security, at https://go.illinois.edu/secstd-IT15

Q: What actions must I take before releasing or disposing of storage devices or storage media?

Data Classification	Storage device or media	Action (at least one must be performed)
High-risk data (Health information/PHI, payment card, SSN, DL#, banking, export control, compartmentalized, etc.)	HDD (magnetic, spinning-platter type), Magnetic Tape, Other*	· Crush/Shred
High-risk data	M.2, SSD, or flash	· Crush/shred
Sensitive data (FERPA, etc.)	M.2, SSD, or flash	· Overwrite/scrub (must be verified) · Crush/shred
Sensitive data	HDD (magnetic, spinning platter- type), Magnetic Tape, Other*	· Overwrite/scrub (must be verified) · Degauss · Crush/shred
Sensitive data	Encrypted storage**	· Verify device is completely encrypted, then delete all encryption keys such that they are completely irrecoverable and officially document.***
Internal data & Public data	M.2, SSD, or flash	· Overwrite/scrub · Crush/shred
Internal data & Public data	HDD (magnetic, spinning platter- type), Magnetic Tape, Other*	· Overwrite/scrub · Degauss · Crush/shred
Internal data & Public data	Encrypted storage**	· Verify device is completely encrypted, then delete all encryption keys such that they are completely irrecoverable and officially document.***

* "Other” includes optical media (e.g., CDs or DVDs), magnetic media (e.g., tapes or diskettes), disk drives (e.g., external, portable, or disk drives removed from information systems)

** Any university-managed device with strong, full-disk encryption for its entire service life including both flash and magnetic storage types

*** File-level encryption does not meet this requirement, nor does a device that was unencrypted for any length of time. Actions must be complete, and auditable

Q. What do you mean by "scrub" or "overwrite"?

A. On spinning-platter and magnetic type hard drives, scrubbing or overwriting means writing over each bit with random ones and zeroes.

For flash memory and SSDs a different approach must be taken because it operates differently than magnetic media. Most SSDs have special data purge commands built into their hardware. These should overwrite the data in multiple passes using a pattern in the first pass and a complement in the second pass.

Q. How might I scrub or overwrite a digital storage device?

A. (For non-IT Professionals) Find an IT Professional proficient on the platform (Windows/Mac/Linux/etc) in question and request that they perform the overwrite.

A. (For IT Professionals) Below are a few ideas on how to meet the requirement, both for SSD and for HDD.

Spinning-platter HDD	Secure Erase, Liveboot CLI++	++ use a Linux live-boot distro and "dd" to overwrite* the target HDD
SSD	"ATA Secure erase"	See e.g. https://www.makeuseof.com/tag/securely-erase-ssd-without-destroying/

*Note 1: dd can be very effective (and destructive!) when used in this way. The precise syntax of the dd command may vary - see your local info or man pages to ensure correct syntax before executing

Q. Can I trust that the data is irrecoverable after scrubbing?

A. To an extent, but the only completely risk-free way of purging data is physical destruction. If you are concerned enough to ask the question, physical destruction is probably the answer.

Q. Can I just RMA or throw away a digital storage device?

A. No. The device must be scrubbed, overwritten, or destroyed before it is released or discarded, per the data classification requirements.

Q. What if the device to be RMA'd or discarded is broken?

A. All broken storage devices with University data are required to be degaussed or destroyed before they are released.

Q. What needs to be done before sending a machine to surplus?

A. See the OBFS page on how to Dispose of Unneeded Equipment.

Q. What services can I use to procure hard drive destruction and what must I do?

A. The following vendors offer data destruction services and chain of custody and certificate of destruction documentation.

Vendor	Contact Information
Iron Mountain	Vendor and contract information can be found on the OBFS website located here.
Shred-it	Vendor and contract information can be found on the OBFS website located here.
Procurri	Procurri services need to be purchased through CDW. Contact information and information regarding CDW quotes can be found here.

The table above includes links to contact information for each vendor as well as available contract information. For additional assistance regarding securing vendor services, we recommend contacting your Purchasing Office.

Q. When should I use an on-site service over a shipping option?

A. For devices containing High Risk data or for devices that can't be scrubbed/overwritten, use of an on-site destruction service is recommended. An off-site (shipping) option may provide additional assurance that data is irrecoverable and could be appropriate for scrubbed/overwritten devices containing Public, Internal, or Sensitive data.

Q. Are there any steps I should take to ensure comliance with University data retention schedules?

A. Some regulations do require organizations to track and document actions taken during storage media disposal. If you have questions regarding retention requirements, we recommend you contact the Records and Information Management group.

Q. What if I have additional questions about the IT 15 Security Standards or cybersecurity in general?

A. Additional questions regarding data destruction and cybersecurity can be directed to securitysupport@illinois.edu.