Best Practices for: Securely Removing Data from Computers and Electronic Storage Devices
The University Information Security and Policy Office will work with the appropriate departmental IT staff to ensure that procedures consistent with security best practices are followed for the reliable removal of licensed software and confidential data before equipment transfers take place. Training seminars for individuals to learn policy and procedures to properly dispose of data-storing media are offered quarterly. Notices and registration of these seminars are sent out to the IT Admins and CITL email lists ahead of time.
Computer systems and other electronic devices store information on a variety of media. It is important to ensure that all licensed software and all University confidential (e.g., classified as internal use, restricted, or restricted-health) information is securely removed from devices before ownership is transferred.
Examples of electronic storage equipment:
Computer internal disk drive
External disk drive
Zip disks, diskettes
USB Flash drives
What is the problem?
Commands such as ‘delete’ and ‘remove’ do not erase data, they simply remove the directory pointers to the data’s location on the physical storage media. Emptying the Recycle Bin or Trash Folder also do not erase files. Similarly, ‘fdisk’ and ‘format’ commands modify the file system but do not actually remove data from the disk.
How should I remove data?
In order to securely remove data from a device, disk wiping programs have been developed. These programs repeatedly write a (usually random) series of 1’s and 0’s over the storage, in an effort to securely erase information contained on it so that it is not recoverable. Many disk wipe programs let you decide how many times to overwrite the storage. The best practice is to use from three to seven passes. For transfers within UI departments, a single pass wipe is sufficient.
You are recommended to destroy media that cannot be wiped, such as CD-ROMs, inoperable/broken disk drives, DVD’s, tapes, or other damaged media devices. University Surplus provides equipment recycling and destruction services, as well as their resale operation. Contact University Surplus (5-5001) to discuss specifics if you have media you believe is unable to be securely wiped.
Visit http://www.uiowa.edu/surplus/surplus-pick to access University Surplus' Equipment Removal form.
NOTE: You must keep all equipment for University Surplus in a secure location until it's picked up. Mark all equipment with your department name, a description of the equipment, the date, what wiping was done, and by whom.
DISK WIPE PROGRAMS
A short selection of disk wipe programs is listed below. (Note: The University of Iowa has no business relationship and makes no endorsement of any vended product listed.)
|Name of program:||Support for:||Cost:|
|Eraser Secure Data Removal Tool http://www.heidi.ie/eraser/||
|Darik's Boot and Nuke http://dban.sourceforge.net/||
|Active@Killdisk http://www.killdisk.com||DOS, Windows, Linux||Linux $59.99|
|WipeDrive & MediaWiper http://www.whitecanyon.com||
External Media Devices, Windows
|$39.95 for both programs|
|Wipe http://wipe.sourceforge.net||Linux, Macintosh versions||Free|
|Symantec Ghost's gdisk utility (use with the /diskwipe /dodwipe flags), contact ITS Software Office||Windows||UI Licensed, $12.00|
|“Secure Empty Trash” function (from the Finder menu), or rm –p from a command line||Mac OS X||Free|
|Knoppix "Shred" http://www.knopper.net/knoppix/index-en.html||