Best practices for: securely removing data from computers and electronic storage devices

The University Information Security and Policy Office are available to work with the appropriate departmental IT staff to ensure that procedures consistent with security best practices are followed for the reliable removal of licensed software and confidential data before equipment transfers take place. Individuals looking to learn more about policy and procedures to properly dispose of data-storing media are directed to take the online Media Disposal training assigned to staff by the unit HR representative or via the Compliance and Qualifications training.

Computer endpoints and other electronic devices store information on a variety of media.  It is important to ensure that all licensed university software and all institutional and regulated data (e.g., classified as University Internal, Restricted, or Critical) is securely removed from devices before ownership is transferred.

Examples of electronic storage equipment:

Computer internal disk drive (HDD, SSD)
External media e.g. USB drives etc.
Legacy Media: CD-ROM, DVD, Zip disk, diskette, Tape etc.
Fax Machines
Copy Machines
Biz-Hubs

What is the problem?

Commands such as ‘delete’ and ‘remove’ do not erase data, they simply remove the directory pointers to the data’s location on the physical storage media. Emptying the Recycle Bin or Trash Folder on the computer's desktop also does not erase files. Similarly, ‘fdisk’ and ‘format’ commands modify the file system but do not actually remove data from the disk.

How should data be removed?

Employ disk wiping applications to securely remove data from a device. These programs could work by either repeatedly write a a random series of 1’s and 0’s over the storage, in an effort to securely erase information contained on it so that it is not recoverable or cryptographically erasing.

Many disk wipe programs let you decide how many times to overwrite the storage. The best practice is to use from three to seven passes.  For transfers within UI departments, a single pass wipe is sufficient.

You are recommended to destroy media that cannot be wiped, such as CD-ROMs, inoperable/broken disk drives, DVD’s, tapes, or other damaged media devices.  University Surplus provides equipment recycling and destruction services, as well as their resale operation.  Contact University Surplus (5-5001) to discuss specifics if you have media you believe is unable to be securely wiped.

Visit https://surplus.fo.uiowa.edu/surplus-pick to access University Surplus' Equipment Removal form.

NOTE:  Keep all equipment for University Surplus in a secure location until it's picked up.  Mark all equipment with the department name, a description of the equipment, the date, what wiping was done, and by whom.

Verifying the selected information sanitization and disposal process is an essential step in maintaining confidentiality of the Institutional Data. Designated IT Staff should verify every time sanitization is applied (where applicable, as most Destroy techniques do not support practical verification for each sanitized piece of media). If the use of programs or applications cannot be used to purge the data, destruction of the media is the recommended next best assurance. UI Surplus is equipped to sanitize and destroy equipment.

Updated 12/28/2022