Overview
University of Oregon's Information Asset Classification and Management Policy require compliance with security related standards that supports the policy. Recommendations below are provided as guidance to assist with achieving the control Data is destroyed according to policy, in the Standards.
Data sanitization is the process of irreversibly removing or destroying data stored on a memory device (hard drives, flash memory / SSDs, mobile devices, CDs, and DVDs, etc.) or in hard copy form. Before this procedure is used, ensure that you have reviewed the University of Oregon Records Retention Schedule (UO RRS) for the records in the memory device.
Requirement
Resource Administrators must ensure that any systems (laptops, workstations, and servers) and devices (smartphones, USB drives) storing covered data must be securely overwritten or wiped using an approved secure file deletion utility upon decommission of the device to ensure that the information cannot be recovered. For those devices that cannot be overwritten (defective hard drives, CDs/DVDs), Resource Administrators must ensure the device is destroyed prior to disposal.
Description of Risk
Storage media are prone to physical theft and loss. Unauthorized parties can acquire unencrypted data stored on the device.
Recommendations
During a covered device’s life cycle, it may need to be retired for various reasons such as upgrades, migration or project closing. To avoid covered data remnants from being accessed by unauthorized parties in legacy covered devices, follow the recommendations below to delete covered data before retiring the covered device.
Device Transfer Within an Organization or Unit
If the device accessed, stored or processed High or Moderate Risk data, the device must be sanitized according to the Sanitization Guidelines below. The device may be transferred with a regular format or without removing any Low Risk Data.
Device Disposal to e-Waste, via Property Disposition Request (PDR)
If a device is to be disposed through UO's e-Waste using PDR, the e-Waste team does sanitize storage disks. Therefore, there is no need for the local property administrator to sanitize or remove storage disks (Hard Disks, SSDs etc). The e-Waste staff does sanitization following the process equivalent to the guidelines below.
Sanitization prior to device reuse
- Delete data using secure software to overwrite data multiple times. Compliant delete options include DoD 3 pass overwrite standard (DoD 5220.22-M).
- Where possible, sanitize entire hard disk instead of just deleting data files and folders. If the storage is defective, shred it.
Below are list of recommended software tools for disk. Use disk deletion tools when you need to erase the content of an entire disk drive, such as when you are retiring a disk drive, or the computer itself. Or you want to re-purpose your computer by re-installing/upgrading your operating system.
Magnetic Hard Disks
= available
Solid State Disks (SSD)
Secure deletion tools do not work on flash based hard drives such as SSD and SD cards. The recommended method to sanitize an SSD is to use "cryptographic erasure", as follows:
- Encrypt the SSD, if it is not already encrypted with one of the following methods.
- For Windows, use BitLocker.
- For Macintosh, use FileVault 2.
- Remove the ability for someone else to recover the encrypted contents.
- For BitLocker:
- Open Command (may require admin rights) from the Start menu, then type
manage-bde -forcerecovery c:
- Shut it down.
- For FileVault 2, reformat by:
- Restart.
- Hold down the Command and R keys when the grey start-up screen appears.
- Select Disk Utility.
- Highlight internal drive, then go to the Erase tab.
- Press Erase, accepting the defaults.
USB Drives on Windows
- Cryptographic Erasure
- Encrypt the USB drive with BitLocker.
- Right-click the Drive icon in the Explorer.
- Select Turn On BitLocker and follow prompts.
- Right-click the Drive icon in the Explorer again.
- Select Format, uncheck the Quick Format option, then press Start.
Smartphones and Tablets
If the device supports it, use built-in settings to encrypt the device. Then use the built-in settings to do a factory reset.
Note: Some SSD manufacturers provide recommendation on how to best sanitize their SSD drives, and we encourage you to look at their methods.
Additional Resources
- NIST SP 800-88 Rev. 1 ("Guidelines for Media Sanitization") - NIST's Special Publication for other media sanitization for appropriate data sanitation techniques, commands, and tools.