Sidebar: Best Practices for Data Destruction

By Robert L. Mitchell

January 31, 2005 12:00 PM ET

Recommended

(3)

Digg

Twitter

Share/Email

Computerworld - Here's a summary of best practices used by Vince Tuesday when using an IT equipment disposal vendor to ensure complete destruction of all data. Tuesday (not his real name) is a security manager at a large financial services company and a former contributor to Computerworld's Security Manager's Journal.

Physical Disposal Practices

Items to be removed from site are placed in a storage area within the organization's IT premises.

Removable drives are checked, asset tags are scanned, and a report of the assets to be removed is generated for final checking and audit-trail purposes.

Once the report is signed off on, items are removed from the site. Specific security guidelines for transportation are enforced, such as providing access to known, registered personnel only; conducting security checks on courier staff; using unmarked vans and specifying that vans may not be left unattended or unlocked; and so on.

When arriving at the supplier's facility, the assets are booked into the supplier's system. A report is sent immediately for comparison with the removal report to ensure that all assets were received.

Prior to processing, equipment is held separately from that of other customers.

Company tags are removed during processing, before disposal or resale.

Unannounced inspections of the supplier's premises are permitted in the contract.

Data Sanitization Practices

Data is wiped using a DOD three-pass algorithm with software certified by authorities such as the British Communications Electronic Security Group (baseline and enhanced), U.S. Department of Defense (DOD 5220.22-M) plus other international standards. This service is used on servers (Unix and Intel-based), disc arrays, laptops, desktops and PDAs.

When the disk can't be accessed, it is removed and and then drilled in order to destroy it. The system unit is then recycled as component spares.

If removable media is found, it is offered to the customer for secure return or destruction.

On completion of data erasure, a certificate (per batch) is provided to the customer.

Printers and faxes have their memories purged using setup menus (or via a disk erasure utility, if it has a hard disk).

Mobile phones are wiped by checking for SIM cards (and returning if found) and erasing via menus.

Read more about hardware in Computerworld's Hardware Knowledge Center.

Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Jump to comments

Hardware

Additional Resources

WHITE PAPER

EFD vs. HDD - What You Need to Know

Enterprise flash drives provide a new Tier 0 storage layer capable of delivering high I/O performance at a very low latency. Proper use of EFDs in an Oracle environment can deliver increased performance compared to fibre channel drives. Read the recommendations for identification of the best DB components for EFDs.

WHITE PAPER

Gartner Research Report: Magic Quadrant for Application Delivery Controllers, 2009

The market for products to improve the delivery of application software over networks remains dynamic and innovative. Vendors focused on solving enterprises' most-pressing application problems have become the top players.

WHITE PAPER

Eight Criteria for Server Load Balancing

Server load balancers are a simple yet highly effective means to scale an application environment while ensuring its availability. Today's solutions should also address application performance and security. Read about the top eight criteria you should consider when choosing a server load balancer and how Citrix NetScaler meets those requirements.