News
Dispose of IT Equipment Without Sharing Secrets
The threat of data loss, coupled with increasingly stringent environmental regulations, has IT pros rethinking their disposal methods for computer gear.
By Shawna McAlearney
"We sanitize the drives and when we have 10 or more units, we send them to Dell for disposal," Kritcher explained. "We receive reports of the items recycled, which can then be reconciled to our records for an airtight audit."
Kritcher’s staff uses DataEraser from Ontrack Data Recovery for overwriting disks. It’s one of a handful of products—including Stellar Wipe Data Eraser Utility, KillDisk, Shred-it and the freeware application Eraser—that wipe information from hard drives by degaussing (neutralizing the magnetic field) and using patterns to eliminate data files in different directories.
At White Electronic Design, IT staff boot DataEraser from a CD or floppy. Once executed, the program performs a degaussing process by flipping each magnetic domain on the disk back and forth "as much as possible without writing the same pattern twice in a row," Kritcher said. A minimum of three passes is required to "overwrite all addressable locations with a character, its complement and then a random character." He said the process can take from one to three hours, depending on the speed of the computing device.
For some devices, physical destruction is warranted. It’s generally done "with a large hammer, rendering the device unusable and bending the platters," Kritcher said. If a hard drive that once contained sensitive data has failed and is inaccessible, he will bring it to a local vendor who will "pulverize or shred the hard drive."
Do-it-yourself destruction
While some companies work with vendors to secure and dispose of old gear, others wipe data internally and resell the equipment to staff or donate it to charitable organizations.
Bruce Bonsall, CISO of MassMutual Financial Group in Springfield, Mass., said when his organization turns over PCs—a few thousand at a time—each is thoroughly scraped and tested to ensure it is clean. The IT team uses various devices to remove the data, and a computer forensics expert on staff tests PCs following the cleaning process to ensure the data is gone.
"The data must be removed before the PCs can be scrapped, donated to schools and other nonprofit organizations. Allowing the confidential information of our employees, distributors and customers to fall into the hands of people who don’t have a need or right to see it would be irresponsible," Bonsall said.
For Ross McKenzie, IS director for the Bloomberg School of Public Health at Johns Hopkins University in Baltimore, the process of removing data and recycling equipment for use among employees provides both network security and job satisfaction.
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
