Storage Sanitization Before Reuse, Recycle or Disposal Procedure

Overview

University of Oregon's Information Asset Classification and Management Policy require compliance with security related standards that supports the policy. Recommendations below are provided as guidance to assist with achieving the control Data is destroyed according to policy, in the Standards.

Data sanitization is the process of irreversibly removing or destroying data stored on a memory device (hard drives, flash memory / SSDs, mobile devices, CDs, and DVDs, etc.) or in hard copy form. Before this procedure is used, ensure that you have reviewed the University of Oregon Records Retention Schedule (UO RRS) for the records in the memory device.

Requirement

Resource Administrators must ensure that any systems (laptops, workstations, and servers) and devices (smartphones, USB drives) storing covered data must be securely overwritten or wiped using an approved secure file deletion utility upon decommission of the device to ensure that the information cannot be recovered. For those devices that cannot be overwritten (defective hard drives, CDs/DVDs), Resource Administrators must ensure the device is destroyed prior to disposal.

Description of Risk

Storage media are prone to physical theft and loss. Unauthorized parties can acquire unencrypted data stored on the device.

Recommendations

During a covered device’s life cycle, it may need to be retired for various reasons such as upgrades, migration or project closing. To avoid covered data remnants from being accessed by unauthorized parties in legacy covered devices, follow the recommendations below to delete covered data before retiring the covered device.

Device Transfer Within an Organization or Unit

If the device accessed, stored or processed High or Moderate Risk data, the device must be sanitized according to the Sanitization Guidelines below. The device may be transferred with a regular format or without removing any Low Risk Data.

Device Disposal or Transfer to e-Waste

If a device is to be disposed to surplus or e-Waste, the device owner or local property administrator must sanitize or remove and physically destroy all storage disks (Hard Disks, SSDs etc) regardless if the device is known to contain any High, Moderate, or Low Risk Data. Local property administrators should be prepared to either sanitize or destroy the disk themselves according to the Data Sanitization Guidelines below 

Sanitization prior to device reuse

  1. Delete data using secure software to overwrite data multiple times. Compliant delete options include DoD 3 pass overwrite standard (DoD 5220.22-M).  
  2. Where possible, sanitize entire hard disk instead of just deleting data files and folders. If the storage is defective, shred it.

Below are list of recommended software tools for disk.  Use disk deletion tools when you need to erase the content of an entire disk drive, such as when you are retiring a disk drive, or the computer itself.  Or you want to re-purpose your computer by re-installing/upgrading your operating system. 

Magnetic Hard Disks

= available

Disk Deletion Tool Windows Mac OS Linux Description
Darik's Boot and Nuke (DBAN)
 
 
UC SanDiego's Secure Erase
 
 
Mac OS X Disk Utility  
   

Solid State Disks (SSD)

Secure deletion tools do not work on flash based hard drives such as SSD and SD cards.  The recommended method to sanitize an SSD is to use "cryptographic erasure", as follows:
  1. Encrypt the SSD, if it is not already encrypted with one of the following methods.
    • For Windows, use BitLocker.
    • For Macintosh, use FileVault 2.
  2. Remove the ability for someone else to recover the encrypted contents.
    • For BitLocker:
      1. Open Command (may require admin rights) from the Start menu, then type manage-bde -forcerecovery c:
      2. Shut it down.
    • For FileVault 2, reformat by:
      1. Restart.
      2. Hold down the Command and R keys when the grey start-up screen appears.
      3. Select Disk Utility.
      4. Highlight internal drive, then go to the Erase tab.
      5. Press Erase, accepting the defaults.

USB Drives on Windows

  • Cryptographic Erasure
    1. Encrypt the USB drive with BitLocker.
    2. Right-click the Drive icon in the Explorer.
    3. Select Turn On BitLocker and follow prompts.
    4. Right-click the Drive icon in the Explorer again.
    5. Select Format, uncheck the Quick Format option, then press Start.

Smartphones and Tablets

If the device supports it, use built-in settings to encrypt the device. Then use the built-in settings to do a factory reset.
Note: Some SSD manufacturers provide recommendation on how to best sanitize their SSD drives, and we encourage you to look at their methods.

Additional Resources

  • NIST SP 800-88 Rev. 1 ("Guidelines for Media Sanitization") - NIST's Special Publication for other media sanitization for appropriate data sanitation techniques, commands, and tools.

 

Details

Article ID: 140456
Created
Thu 6/9/22 4:46 PM
Modified
Tue 8/16/22 5:14 PM

Related Articles (2)

This article is a quick reference for how to handle, transmit and dispose of sensitive data.