Best Practices for: Securely Removing Data from Computers and Electronic Storage Devices

The University Information Security and Policy Office are available to work with the appropriate departmental IT staff to ensure that procedures consistent with security best practices are followed for the reliable removal of licensed software and confidential data before equipment transfers take place. Individuals looking to learn more about policy and procedures to properly dispose of data-storing media are directed to take the online Media Disposal training assigned to staff by the unit HR representative or via the Compliance and Qualifications training.

Computer endpoints and other electronic devices store information on a variety of media.  It is important to ensure that all licensed university software and all institutional and regulated data (e.g., classified as University Internal, Restricted, or Critical) is securely removed from devices before ownership is transferred.

Examples of electronic storage equipment:

Computer internal disk drive (HDD, SSD)
External disk drive
CD-ROM, DVD
Zip disks, diskettes
Tapes
USB Flash drives
Fax Machines
Copy Machines
Biz-Hubs

What is the problem?

Commands such as ‘delete’ and ‘remove’ do not erase data, they simply remove the directory pointers to the data’s location on the physical storage media. Emptying the Recycle Bin or Trash Folder also do not erase files.   Similarly, ‘fdisk’ and ‘format’ commands modify the file system but do not actually remove data from the disk.

How should I remove data?

Use disk wiping applications to securely remove data from a device. These programs could work by either repeatedly write a a random series of 1’s and 0’s over the storage, in an effort to securely erase information contained on it so that it is not recoverable or cryptographically erasing Many disk wipe programs let you decide how many times to overwrite the storage. The best practice is to use from three to seven passes.  For transfers within UI departments, a single pass wipe is sufficient.

You are recommended to destroy media that cannot be wiped, such as CD-ROMs, inoperable/broken disk drives, DVD’s, tapes, or other damaged media devices.  University Surplus provides equipment recycling and destruction services, as well as their resale operation.  Contact University Surplus (5-5001) to discuss specifics if you have media you believe is unable to be securely wiped.

Visit https://surplus.fo.uiowa.edu/surplus-pick to access University Surplus' Equipment Removal form.

NOTE:  Keep all equipment for University Surplus in a secure location until it's picked up.  Mark all equipment with the department name, a description of the equipment, the date, what wiping was done, and by whom.

Verifying the selected information sanitization and disposal process is an essential step in maintaining confidentiality of the Institutional Data. IT Staff should verify every time sanitization is applied (where applicable, as most Destroy techniques do not support practical verification for each sanitized piece of media). If the use of programs or applications cannot be used to purge the data, destruction of the media is the recommended next best assurance. UI Surplus is equipped to sanitize and destroy equipment.

Disk Wipe Programs

A short selection of disk wipe programs are listed below. (Note: The University of Iowa has no business relationship and makes no endorsement of any vended product listed.)

Name of program: Support for: Cost: 
Eraser Secure Data Removal Tool  http://www.heidi.ie/eraser/ Windows Free
Darik's Boot and Nuke/ Blancco Drive Eraser  http://dban.org Windows, Unix Free
Active@Killdisk https://www.killdisk.com/eraser.html DOS, Windows, Linux Paid
WipeDrive & MediaWiper  http://www.whitecanyon.com External Media Devices, Windows Paid
“Secure Empty Trash” function (from the Finder menu), or  rm –p from a command line Mac OS X Free
Knoppix "Shred" http://www.knopper.net/knoppix/index-en.html Linux Free