I put together some guidelines for our IT groups at work. Here is the central part of what I wrote. Keep in mind we just do manufacturing and distribution and currently have minimal processes in place. So I wanted something to start with to get everyone heading the same direction. Of course if we ever need major efforts rather than just a process to cover occasional wiping we can just send our stuff over to Data Killers.
Recommended Sanitization Tools
- Software Wiping Tools
Choose a wiping solution and develop a local process document.
- DBAN – Darik’s Boot and Nuke – Free Open Source
- PGP Free Space Wipe – Good for quick wipes of working storage devices
- MediaWiper – Handles many media types
2. Drive Carriers
Obtain USB drive carriers to house hard drives for wiping.
- Laptop 2.5” – IOGEAR 2.5″ Hi-Speed USB 2.0 ION Drive Enclosure II (CDW# 525931) Cost: $48.39
- IDE – StarTech.com 1 Drive 5.25 Inch External USB 2.0 IDE Case (CDW# 372432) Cost: $77.34
- SATA – Addonics SATA to IDE/ATAPI Converter (CDW# 659561) Cost: $30.75
Process of Sanitization
All storage media to be disposed of, given to a non-Company entity or returned to a vendor after use within the Company must be securely wiped. The number of overwrites is dependent on the user/function of the storage device.
- One Pass Overwrite Required: Any storage used for regular production department use, floor workstations etc.
- Three Pass Overwrite Required: Any storage that has handled employee personal, financial or medical information. HR, Payroll and Finance would be examples.
- Three Pass Overwrite Required: Any storage belonging to security, information technology, senior management.
- Three Pass Overwrite Required: Any storage contained within a digital copier/fax machine.
At minimum one PC station in each IT department should be designated as a wiping station.
In the case of media that is unreadable in full or part. One attempt to format and wipe the media with the tools must be made. If the storage met the requirements for a three pass overwrite the media must be physically destroyed this is because an overwrite on media with a physical error may not be 100% complete.
Example: PGP Free Space Overwrite
A laptop being used by HR to be reassigned to another user.
1. Perform a factory reset of the laptop storage.
2. Load any desired software. These first two steps overwrite a large portion of the storage drive.
3. Remove the storage drive from the laptop
4. Place the drive in a USB carrier
5. Attach to a PC with PGP installed
6. Perform a free space wipe of the drive
7. Replace sanitized drive into the laptop and re-issue