Sensitive data is confidential, private, personal data on any digital media. Experience has shown that many if not most PC’s to be transferred out of production, still contain data which is considered sensitive related to University business. This includes passwords, employee/student private and/or personal data, financial, health, banking information, personnel documents, proposals, contractual records, etc. Thus when a University Microcomputer sent to University Salvage and Surplus, or transferred between departments, sent for repair, or otherwise disposed of, such sensitive data on any related media should be permanently and securely overwritten or destroyed.

Recommendations for Microcomputers

Since manual removal of individual occurrences of sensitive data has been shown to be unreliably incomplete, this author recommends using a professional disk sanitation algorithm ( http://www.versiontracker.com/php/feedback/article.php?story=20035301448520630144) or wiping tool software that supports DoD 5220.22-M disk overwriting Standard (http://www.usaid.gov/policy/ads/500/d522022m.doc) to completely overwrite fixed disk(s) of PC’s that are being transferred out of production: sold/traded between departments, or sent to University Salvage and Surplus or sent out for repair.

Methods (detailed algorithms) to completely securely overwrite fixed disks are well documented. For example, see: http://wipe.sourceforge.net/secure_del.html.

An excellent overview and list of software is given at IEEE Secure Disk Wiping: http://www.computer.org/security/v1n1/garfinkel3.htm

Hard Disk Data Erasure Product Functionality Test results: http://www.veritest.com/clients/reports/redemtech/redemtech.pdf

If a fixed drive or other media device cannot be sanitized or wiped, or economically repaired, it should be physically destroyed. This must not be done by individuals as there can be serious physical danger involved. DO NOT ATTEMPT TO DESTROY MEDIA YOURSELF; rather at this point contact Penn State Maintenance and Operations for this task.
PC's that contain sensitive/personal/private University data when sent for repair should either have their fixed disk(s) removed, or a spare generic-OS fixed disk temporarily installed. On-site supervised repair may be another option.
Also, before overwriting a fixed disk, remember to move or back up (e.g., to CD-R/RW) any valuable data. Also record PC's serial numbers, date, and sanitation method before they are sold or transferred. You may wish to encrypt such backed up data with PGP; see "Where to Get PGP" section of http://ftp.aset.psu.edu/pub/ger/documents/pgpmail.html or use other strong encryption: http://www.pcguardiantechnologies.com/ or physically secure the backed up data.
After sanitizing (wiping) a PC's fixed disk(s), you should remove any BIOS passwords (e.g., power up, BIOS administrative passwords). This makes the system accessible and usable when the unit is again sold or put into use. Likewise installing a generic licensed operating system (that came on the PC in question) will enhance its salability.

Other Media and Devices

Finally, in addition to overwriting PC fixed disks, floppy and zip disks, CD's, there are other media that pose privacy/security risks. For example, network devices, like routers, PDA's (hand held Personal Digital Assistants) can have departmental information stored as personal data or configuration information. Prior to transfer or disposal this data or configuration information should be cleared manually and by someone who understands the device(s) in question.

Some Available Software

Evidence/Local Activity Eliminator (Windows) and for the Macintosh, MacWasher.

The following software completely destroys (overwrites; wipes) ALL data on fixed disk(s), including the operating system. Actual MS Windows and Linux software that support secure (DoD 5220.22-M disk overwriting Standard) complete wiping of fixed disks may be found at:

Commercial disk wiping software for PC's may be found at:

SuperScrubber: rewrites a Macintosh hard drive.
East-Tech DiskSanitizer (Windows or Linux fixed disks)
KillDisk
Paragon Disk Wiper
Micro 2000 Eraserdisk
Wipedisk by Allegro, Inc

Solutions for Macintoshes:

For MAC OS 10, boot from the MAC OS 10 Install CD that came with the system; Choose the ipeInfo Utility to wipe the fixed drive. This may or may not conform to the DoD Standard.

OSX FAQ ShredITX
Norton Antivirus Pro includes the WIPEINFO utility, which can be activated by booting from the NAV PRO CD.
WIPEINFO includes the DoD Standard for disk wiping. This will work for PC's and MAC OS9.

Free PC disk wiping software may be found at:

(Any fixed BIOS/firmware hard disk - DoD=yes, Open Source=yes) Darik's Boot and Nuke: http://dban.sourceforge.net/
(Any IDE hard disk- DoD=yes, Open Source=GNU) University of Washington Autoclave: http://staff.washington.edu/jdlarios/autoclave/

Making/copying a PC hard disk image: Power Quest/Symantec's Drive Image or Drive Copy: http://www.powerquest.com/v2i/builder/

Summary

Departmental computer professionals, (ultimately Administrative Department heads), have the responsibility to secure departmental, college, and University sensitive data. This responsibility includes following University Policies on Disk Sanitation and data archival, as well as touching base with related department people, and then clearing or overwriting all sensitive data on PC fixed disks and other devices before the they are traded/sold/salvaged/repaired.

Acknowledgment

Thanks to Pete Weiss and Todd Litzinger (who heads up the on-going Penn State Committee on this topic), Penn State Administrative Information Services for helping to review and improve this document. Thanks to Bill Verity and Jonathan Siegle, Penn State Information Technology Servicees, for Solutions for Macintoshes.

Source: Academic Services and Emerging Technologies (ASET)

Home

Tech Support Policy

EnEspañol