Media Control and Disposal

Applicable To:

Duke University

Version 2.0

Authority

Duke University Chief Information Officer

Duke University Chief Information Security Officer

Purpose

Media such as hard drives, solid state drives, USB flash drives, external drives, and other storage devices may contain Duke data categorized as sensitive, restricted, or public. The normal process of erasing a file does not remove data from a storage device, rather it leaves room for new data to overwrite the old data sectors. The old data can be found as remnants within a storage device which can pose risk if an unauthorized individual or party acquires the data stored on the device. Therefore, proper media sanitization of a device is necessary before disposal.

As stewards of Duke’s resources, we are expected to exercise sound judgment using data prudently and ethically. Additionally, various federal and state laws impose data destruction obligations, including HIPAA, FERPA, FISMA, the NC Identity Theft Protection Act and PCI DSS. Grants and contracts may also impose requirements for the protection, preservation, and secure destruction of associated data. As a result, it is important that all data are reasonably and appropriately managed to maintain data confidentiality, integrity, and availability throughout the data lifecycle, including destruction and disposal.

Policy

DATA MAINTENANCE & DISPOSAL

Duke system administrators, data stewards, and data managers are responsible for data security operations on all devices they manage.

Any contractual or regulatory obligations which indicate specific processes for destruction of data should be followed per the contract or regulation.

Duke Procurement requires all decommissioned surplus property, including computers, that were purchased with Duke funds or are considered Duke property be processed through the surplus program.

For devices and data not bound by contract, regulation, or compliance obligations, prior to the device being sent to surplus, the data should be protected by the methods below. The following rules can also be applied to wiping non-Duke devices:

If a drive is fully encrypted (BitLocker, FileVault, etc.) and removed from the original computer, proper encryption is sufficiently secure, and no addition wiping is necessary.
If the device will not power up, powers up but will not run a disk erasing tool, or is deemed to have zero resale value, the hard drive is removed and hand-carried for destruction to an approved electronics waste provider, where the destruction is witnessed by Duke staff.
For other devices, one of the following methods should be used:
- Follow the hard drive manufacturer’s recommendations for wiping their drives.
- Encrypt the entire drive then reset the TPM chip to eliminate the encryption key.
- Use third-party disk wiping tool like the open source ShredOS to wipe the drive if the above are not possible/effective. A single pass wipe of 0's or 1's is sufficient.

If a secure certificate of destruction is needed, the user should choose a tool or method that can generate such a certificate or report (such as ShredOS).

Media Control and Disposal

Authority

Purpose

Policy

DATA MAINTENANCE & DISPOSAL

Related Links