Securely Removing Data
- IU Standard
- Why Remove Data?
- Why Delete is Not Enough
- Secure Delete Methods
- Data on Paper
- Related Policies and Documentation
- Summary and Frequently Asked Questions
Computing systems (including desktops and laptops, networking equipment, cellular phones, PDAs, and other mobile devices) store data on a wide variety of storage media (e.g., hard drives, USB flash drives, floppy disks, CD-ROM's, tapes, memory). This data must be securely removed from the media once the data and/or device is no longer required in order to prevent unauthorized disclosure of the data. This is particularly true if the device contains sensitive data.
This document will discuss the risks associated with and the processes used to securely remove data from storage media and it will also explain why a simple delete of the data files does NOT suffice.
Before a department may relinquish computing equipment to another entity, and such equipment is, or contains a storage device, all data must be removed from the storage device(s). In order to satisfy the IU Purchasing policy, departments must choose and correctly deploy a tool that performs at least a 1-pass wipe of the disk. UISO has verified that the tools that can satisfy that requirement, if used correctly, are DBAN and Mac OS X's Disk Utility.
If the storage device is inoperable or cannot be wiped using one of these tools, then the remaining options include degaussing and drive destruction. The UISO recommends against degaussing and instead encourages departments to use the IUB/IUPUI Surplus Data Destruction Service (see Destruction section below).
There are a number of reasons why the data maintained on computer systems and devices would need to be securely removed. Perhaps a computer system is being replaced with a more powerful device and the old system is being transferred to another department or sold at auction. Maybe the backup data stored on a CD-ROM has reached the end of its useful life and needs to be expunged. Perhaps a magnetic tape has been used the maximum number of times that it can be to reliably preserve data. Maybe a hard drive has become damaged and is inoperative.
In each of the aforementioned cases, the University has legal and ethical obligations to ensure that any institutional data is securely removed to minimize the risk of possible disclosure.
A file can be deleted from a computer's hard drive using a number of methods: by issuing an rm or del command from the command line, by highlighting a file in Nautilus, Finder, or Windows Explorer and pressing the Delete key, or by emptying the Recycle Bin or the Trash folder. However, these methods only remove the pointers to the actual files -- they do NOT remove the data. The data remains on the hard drive as unallocated space.
Another common misconception is that using system utilities (e.g., fdisk) and re-formatting the hard drive will securely delete all data on the hard drive. Like rm and del, these utilities modify file system attributes but do not remove the data.
CD-ROM's, since they are read-only, introduce a different challenge in that there is no way to programmatically and securely delete the contents of the CD. Inoperable hard drives are also troublesome in that they can not be connected to a system and accessed through software.
We've discussed earlier that one cannot rely on deletion alone and that there are certain devices that present special issues. So, what is available to help us securely delete and/or destroy the data?
Disk wiping is a term used to describe a programmatic process that writes a series of 1's and/or 0's over the disk in an effort to securely remove the data. DBAN is an example of a software tool that has this capability. CyberCide, DBAN, Declasfy, East-Tec's DisposeSecure, East-Tec's Eraser, Heidi's Eraser, PDA Defense, and Symantec Ghost's gdisk32 can be used as well. Depending on the speed or the performance characteristics of the computer you use to run this software, disk wiping might be time-consuming.
Mac OS X also comes bundled with Disk Utility, an application that allows for the secure wiping of hard disks.
For media that has contained highly sensitive data or for media that the cannot be wiped (e.g., inoperable/damaged hard drives, DVD's) or degaussed (e.g., CD-ROM's), destruction of the media is the most effective means of ensuring that the data cannot be recovered. Destruction of the media can be accomplished via a number of methods: shredding disk platters, grinding the surfaces off of CD's, incinerating tapes, etc. In order to be effective, the destruction has to be thorough. A simple whack with a hammer, for example, would leave the majority of the data on the media readable.
The University has data destruction services available:
Degaussing is a process by which magnetic storage media is subjected to a powerful magnetic field to remove the data on the media.
Since a degausser that meets the applicable performance requirements set forth by the National Security Agency/Central Security Service, NSA/CSS, can be cost prohibitive, the UISO recommends that departments take advantage of the Data Destruction Service offered by IUB/IUPUI Surplus.
In addition to cost, degaussing is ineffective in erasing optical media (DVDs, CDs) and solid state drives, but the Data Destruction Service is capable of destroying those forms of media as well.
Information classified as Critical, when stored in paper form, must be properly disposed of/destroyed. If your department does not handle a large amount of Critical data on paper, you may consider purchasing a small paper shredder (ensure it's a cross-cut shredder).
If your department handles a higher volume of sensitive or Critical data on paper, you may wish to utilize a secure document destruction vendor. The IU Office of Procurement Services maintains a list of contracted vendors — there is at least one located by each IU campus.
- Document Destruction Contracts | IU Office of Procurement Services
- Disposal & Redistribution of University Property Policy (P - 14.0)
- Sale of Computer Equipment Policy (P - 14.1)
- NIST Special Publication 800-88 Guidelines for Media Sanitization
- Effectively Erasing Files | US-CERT National Cyber Alert System
- I have an inoperable hard drive that contains sensitive data. What should I do?
- Disk wiping is out of the question since the drive is inoperable. In this case, destruction is the best alternative.
- I have a computer that is being replaced by a newer model and I would like to transfer this machine to another user in my department. The system has been used to store FERPA protected student records. What should I do?
- Disk wiping is the best alternative.
- I have a computer that is being replaced by a newer model and I would like to transfer this machine to another department on campus. The system was bought new and used as a public access terminal. It has never maintained sensitive data, but it does have application installed on it that we licensed from a software vendor. What should I do?
- Since data storage is not an issue, the simplest method would be to fdisk the system and reformat the hard drive. This process will ensure that any individually licensed software is unusable.
- I have a computer that is being replaced by a newer model and I would like to transfer this machine to another department on campus. The system has been used to store sensitive data. What should I do?
- Once again, secure disk wiping is probably the best alternative.
- I have a computer that has reached the end of its life and I cannot find another department at the University that wants it. What should I do?
University Purchasing has two policies that discuss this:
- I have a hard drive containing sensitive data that has a mechanical failure, and the computer manufacturer is requesting that the drive be returned in order to do a replacement under warranty. What methods must be undertaken to erase the data when the drive is physically inoperable?
- You should first tell the manufacturer that the drive has sensitive data and that you do not want to send it back. If the manufacturer subsequently informs you that they will not send a replacement without the damaged drive, then you should request a formal letter from the manufacturer saying that they will ensure that all data is securely wiped from the hard drive. If the vendor continues to refuse, you should purchase a replacement drive and ensure that the damaged disk is destroyed.
- I have a very large volume of media to be retired that contains sensitive data. What are my options?
- University Purchasing can work with various professional shredder companies that can come on campus and shred the media. When finished, they will also provide you a certificate of destruction. Contact your campus Purchasing department for additional information.
- I will no longer be using my BlackBerry or iPhone/iPad/iPod Touch. Must I remove all of my personal data from it. If so, how do I do that?
Yes, all data must be removed from iPhones, BlackBerrys, and other mobile devices containing university information or email.
Please consult the following Knowledge Base documents:
- I may have sensitive data cached in my office copier or multifunction device. What do I do?
- First, read our article on Protecting Data in Copiers and Multifunction Devices. Contact the Office of Procurement Services with any specific questions about equipment or related purchases.