Sidebar: Best Practices for Data Destruction

Computerworld - Here's a summary of best practices used by Vince Tuesday when using an IT equipment disposal vendor to ensure complete destruction of all data. Tuesday (not his real name) is a security manager at a large financial services company and a former contributor to Computerworld's Security Manager's Journal.

Physical Disposal Practices

• Items to be removed from site are placed in a storage area within the organization's IT premises.


• Removable drives are checked, asset tags are scanned, and a report of the assets to be removed is generated for final checking and audit-trail purposes.


• Once the report is signed off on, items are removed from the site. Specific security guidelines for transportation are enforced, such as providing access to known, registered personnel only; conducting security checks on courier staff; using unmarked vans and specifying that vans may not be left unattended or unlocked; and so on.


• When arriving at the supplier's facility, the assets are booked into the supplier's system. A report is sent immediately for comparison with the removal report to ensure that all assets were received.


• Prior to processing, equipment is held separately from that of other customers.


• Company tags are removed during processing, before disposal or resale.


• Unannounced inspections of the supplier's premises are permitted in the contract.

• Data is wiped using a DOD three-pass algorithm with software certified by authorities such as the British Communications Electronic Security Group (baseline and enhanced), U.S. Department of Defense (DOD 5220.22-M) plus other international standards. This service is used on servers (Unix and Intel-based), disc arrays, laptops, desktops and PDAs.


• When the disk can't be accessed, it is removed and and then drilled in order to destroy it. The system unit is then recycled as component spares.


• If removable media is found, it is offered to the customer for secure return or destruction.


• On completion of data erasure, a certificate (per batch) is provided to the customer.


• Printers and faxes have their memories purged using setup menus (or via a disk erasure utility, if it has a hard disk).


• Mobile phones are wiped by checking for SIM cards (and returning if found) and erasing via menus.

Read more about Hardware in Computerworld's Hardware Topic Center.