Categories Topics
Description
Hard Drive and Removable Media Destruction

Overview
Hard drives, devices and removable media should be disposed of in accordance to the organization's data classification and handling policy and asset management policy and standards. Hard drives and removable media can contain sensitive information that will have to be destroyed when the asset is no longer needed.

Guidelines
Many organizations have many different types of "media" that may contain sensitive information that include magnetic disks, optical disks, magnetic tapes, memory, firmware, removable media, and network appliances. When such devices come to the end of it's life, the data must be destroyed so data cannot be reused as originally intended.

A summary of hard drive and media destruction guidance include, but not limited to:
  • Assets should be disposed of by only approved organizations or third parties
  • A full hard disk eradication should be performed on hard drives prior to asset disposal, donation, sale, warranty or lease return.
  • Disk eradication should include secure erase process that include at minimum a single pass overwrite with any arbitrary value (note: DOD 5220.22-M standard for 3 or 7 wipe methodology may also be employed if additional assurance is required)
  • Disks or media that cannot be securely erased or will not be resused, should be physically destroyed (e.g. shredded, degaussed, incinerated, etc.)
  • All internal/reusable memory and network devices should be cleared to effectively deny access to previously stored information
  • A certificate of destruction and/or eradication should be obtained by approved third parties that perform full hard drive destruction See NIST Standard 800-88 for more details.

 
News Articles
NHS fights record £325k ICO fine after clap records appear on eBaywww.theregister.co.uk6/6/2012
Air traffic control data found on eBayed network gearwww.theregister.co.uk9/30/2011
White Papers
NJ assembly passes bill requiring information stored on copy machines, scanner be deletedwww.courierpostonline.com6/1/2001