About secure data removal

On this page:


IU policy

Before a department may redistribute, sell, or dispose of computing equipment to another entity, all data must be removed from the storage device(s) to comply with Disposal and Redistribution of University Property (FIN-PURCH-11).

Departments must choose and correctly use a tool that performs at least a one-pass wipe of the storage device. If a storage device is inoperable or cannot be wiped using an approved tool, your remaining options include degaussing and drive destruction.

Simple deletion of data is not enough

When a file is deleted using the usual methods inherent in an operating system, these methods typically only remove the pointers to the files, not the actual files themselves. The data remains on the hard drive as unallocated space and can easily be recovered with readily available tools.

A common misconception is that using system utilities like fdisk and reformatting a hard drive will securely delete all data on the hard drive. Like rm and del, these utilities modify file system attributes but do not remove the actual data.

CD-ROMs, since they are read-only, present a different challenge in that there is no way to programmatically and securely delete the contents of the CD. Inoperable hard drives are also a challenge since they cannot be connected to a system and accessed through software.

Methods of secure deletion

Wiping utilities

Disk wiping is a term used to describe a method that writes a series of ones and/or zeros over the disk to securely remove the data. Since tools that do this have to overwrite the entire disk, this process can be time-consuming.

UISO has verified that DBAN and the macOS Disk Utility, if used correctly, can be successfully used to securely remove data from a disk; for details, see Securely wipe disk drives.

Destruction

For media that has contained highly sensitive data or for media that cannot be wiped (for example, inoperable hard drives or DVDs) or degaussed (for example, CD-ROMs), destruction of the media is the most effective means of ensuring that the data cannot be recovered.

IU Surplus provides data destruction services to the IU community.

In order to be effective, the destruction has to be thorough. For example, a simple whack with a hammer leaves the majority of data on the media readable.

Degaussing

Degaussing is a process by which magnetic storage media is subjected to a powerful magnetic field to remove data on the media.

Since a degausser that meets the performance requirements set forth by the National Security Agency/Central Security Service (NSA/CSS) can be cost-prohibitive, and is ineffective with optical media such as DVDs and CDs, UISO recommends against degaussing, and encourages departments to take advantage of the Data Destruction Service offered by IU Surplus.

Destruction of data on paper

Information classified as Critical data, when stored in paper form, must be properly destroyed by shredding. For low-volume paper document destruction, units may consider purchasing a small cross-cut paper shredder. For high volume needs, a document destruction vendor may be the best solution. IU Purchasing maintains a list of contracted vendors for document destruction.

Example scenarios and recommendations

Scenario Recommended action
You have an inoperable hard drive that contains sensitive data.
Since disk wiping can't be used on inoperable drives, physical destruction is the best alternative.
You are transferring a computer, which has been used to store FERPA-protected student records, to another user.
Disk wiping is the best alternative.
You are transferring a computer to another department on campus. The computer was bought new and used as a public access terminal; it has never maintained sensitive data, but has applications installed on it that were licensed from a software vendor.
Since data storage is not an issue, you can fdisk the system and reformat the hard drive, ensuring that any individually licensed software is unusable.
You are transferring a computer, which has been used to store sensitive data, to another department on campus.
Secure disk wiping is the best alternative.
Your computer has reached the end of its life and no other IU department wants it.
Your hard drive containing sensitive data has a mechanical failure, and the manufacturer requests that the drive be returned for replacement under warranty.
Inform the manufacturer that the drive contains sensitive data and you'd prefer not to return it. If the manufacturer insists on return of the damaged drive before sending a replacement, request a formal letter from the manufacturer stating that they will ensure all data is securely removed from the hard drive. If the vendor refuses to comply, purchase a replacement drive and destroy the damaged disk using one of IU's destruction services (see IU Surplus).
You have a very large volume of media to be retired that contains sensitive data.
IU Purchasing can contract with a professional shredder company to come to campus and shred the media. When finished, they will provide a certificate of destruction.
You are replacing an old smartphone.
Remove all data from smartphones, tablets, and other mobile devices that have been used to access, store, or manipulate institutional data. See:
You may have sensitive data cached in your office copier or multifunction device.
See Protect data in copiers and multifunction devices.

Learn more

To learn more, see the following policies and documents:

This is document bgug in the Knowledge Base.
Last modified on 2021-04-12 16:17:24.