Sidebar: Best Practices for Data Destruction

By Robert L. Mitchell

January 31, 2005 12:00 PM ET

Recommended

(3)

Digg

Twitter

Share/Email

Computerworld - Here's a summary of best practices used by Vince Tuesday when using an IT equipment disposal vendor to ensure complete destruction of all data. Tuesday (not his real name) is a security manager at a large financial services company and a former contributor to Computerworld's Security Manager's Journal.

Physical Disposal Practices

Items to be removed from site are placed in a storage area within the organization's IT premises.

Removable drives are checked, asset tags are scanned, and a report of the assets to be removed is generated for final checking and audit-trail purposes.

Once the report is signed off on, items are removed from the site. Specific security guidelines for transportation are enforced, such as providing access to known, registered personnel only; conducting security checks on courier staff; using unmarked vans and specifying that vans may not be left unattended or unlocked; and so on.

When arriving at the supplier's facility, the assets are booked into the supplier's system. A report is sent immediately for comparison with the removal report to ensure that all assets were received.

Prior to processing, equipment is held separately from that of other customers.

Company tags are removed during processing, before disposal or resale.

Unannounced inspections of the supplier's premises are permitted in the contract.

Data Sanitization Practices

Data is wiped using a DOD three-pass algorithm with software certified by authorities such as the British Communications Electronic Security Group (baseline and enhanced), U.S. Department of Defense (DOD 5220.22-M) plus other international standards. This service is used on servers (Unix and Intel-based), disc arrays, laptops, desktops and PDAs.

When the disk can't be accessed, it is removed and and then drilled in order to destroy it. The system unit is then recycled as component spares.

If removable media is found, it is offered to the customer for secure return or destruction.

On completion of data erasure, a certificate (per batch) is provided to the customer.

Printers and faxes have their memories purged using setup menus (or via a disk erasure utility, if it has a hard disk).

Mobile phones are wiped by checking for SIM cards (and returning if found) and erasing via menus.

Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Jump to comments

Hardware

Additional Resources

Xerox

Win a color printer!

By using solid ink technology only from Xerox, you could save up to 65% by printing color for the cost of black and white. Enter for a chance to WIN a PhaserTM 8860 network color printer!

Microsoft

Upgrade to Internet Explorer 8 today.

Save time and mitigate security risk. Deploy it now.

Sybase

NEXT-GENERATION MOBILITY PLATFORMS

In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions.

Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.