This document supplements the requirements of BU Data Protection Guideline 1.2.D - Data Protection Requirements. It provides information related to the proper disposal of sensitive information in such a way as to prevent its continued use.
Overview
When data is no longer required it must be disposed of in a way that prevents its continued use. Electronic data can be difficult to dispose of effectively. Reusable storage devices are intended to have a long service life and may be erased and rewritten continuously during their life. Hard disk drives, USB storage devices, solid-state memory cards, portable disk drives, floppy diskettes, and data storage tapes are all examples of media intended for reuse.
There are legal, regulatory, contractual, and policy requirements that may extend the duration for which information must be retained beyond its useful life. Before disposing of data please review the University Record Retention Policy (FA-002). DO NOT destroy paper or electronic records that the University Record Retention Policy (FA-002) requires be maintained. In addition, DO NOT destroy records if you have received a “litigation hold” notice from the Office of the General Counsel concerning actual or threatened litigation or if you have reason to believe that documents relate to a dispute that may result in litigation. If you have any questions, please contact BU Information Security or the Office of the General Counsel before you destroy either paper or electronic records.
Securely Erasing Entire Reusable Storage Devices (Disk Drives, USB devices, Tapes)
We follow NIST standards for media sanitization which defines processes for securely disposing data at various levels; NIST 800-88. Sanitization is defined as the erasure, overwriting, or destruction of storage media to the extent that data cannot be recovered using normal system functions or software data recovery utilities and is defined by the following actions:
- Clear: Clear is typically applied through the standard Read/Write commands to the storage device and provides a moderate level of data protection. This can include rewriting with a new value or using a menu option to reset the device to the factory state (when rewriting is not supported). The data is then overwritten and verified. Most devices support some level of Clear sanitization. It does not, however, address hidden or unaddressable areas.
- Purge: Purge provides a more thorough level of sanitization than Clear and is used for more confidential data. Purge requires the removal of hidden drives, Host Protected Areas (HPA) or Device Configuration Overlays (DCO), if they’re present. Purge applies physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques.
- Destroy: Destroy renders media incapable of storing data afterward. Destroy can include shredding, incinerating, pulverizing, melting, and other physical techniques. These can be necessary for drives that are already beyond all possible use or standard overwriting methods because of physical damage. Destroy renders media unusable and should be used when the storage device is at its end of life, or when clear or purge are not an option.
The delete function in most operating systems makes the data unavailable via the standard user interface but does not actually remove it from the storage device (clear).
To ensure that the data cannot be recovered and to protect data beyond clear, special tools must be used. These tools overwrite the storage device with random data (purge). This form of securely erasing a storage device prior to disposal is a recommended practice for any storage device, even if it contained only Public information. A reusable storage device must be securely erased when it contains Internal, Confidential, or Restricted Use Information and any of the following statements are true:
- It is being permanently taken out of service.
- It is being temporarily taken out of service and will be out of the custody of the Data Custodian or Data Trustee for any length of time.
- The disk will be classified and protected at a lower level than its current classification as defined by the Data Classification Guideline and Data Protection Requirements.
- The disk is being returned to a vendor for replacement under a hardware warranty or contract-support agreement, provided that physical destruction is not required by the following section.
Various storage device manufacturers ill often provide their own specific tools for purging data from their devices. There are also thurd-party toos available as well, for Intel and AMD hardware platforms we recommend a program called DBAN which will boot on any x86 based hardware and securely erase the disk:
In cases where you need to ensure data is never recovered, render the media unusable, or it needs to be properly disposed of, it must be physically demolished (destroy).
The Guidelines offer Clear, Purge and Destroy as valid options for sanitization based on the confidentiality requirements of the data rather than the storage technology on which the data resides.