The procedures detailed on this page are intended to prevent the inadvertent release of confidential, protected, or personally-identifiable information contained on electronic storage devices when physical possession or stewardship is changed.
These procedures establish campus standards for the transfer, re-tasking, surveying, or re-assignment of electronic storage devices (such as CDs, DVDs, Flash Drives, and Hard Disk Drives) or devices that have the ability to store data (such as computers and Multi-Function devices). The procedures cover all equipment owned or managed by University, University Auxiliary, and University Foundation organizations that contains information and specifically the transfer of computers or devices that have the ability to store data in the following situations:
- between users in the same department
- between users in other departments
- to the campus e-waste recycling (property)
- returns for maintenance
These procedures do not cover media or devices that are unable to store campus data, such as read-only software, video, or movie media.
Why Do We Need to Do This?
California Civil Code 1798.81 requires that “A business shall take all reasonable steps to destroy, or arrange for the destruction of, a customer's records within its custody or control containing personal information which is no longer to be retained by the business by (1) shredding, (2) erasing, or (3) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.”
Simply deleting a file does not erase the information contained in that file; it just makes the space occupied by that information available to the device to store other data. So, until it is overwritten by information from another file, that deleted data can be recovered using easily-available tools. The military standard for secure data destruction (DoD 5330.22-M NISPOM) recommends three separate overwrite passes to render data inaccessible, which can take up to 24 hours for an 80 GB drive. A list of overwriting programs that meet HSU standards for wiping of media can be found at the foot of this page.
In order to avoid inadvertent release of confidential or protected data during the use or transfer of any device that can be used to store or contain data, the following practices must be followed:
- If a computer is being reassigned from one University employee to another within the same administrative unit, a reformat of the hard drive is acceptable.
- If a computer is being reassigned from one University employee to another within the same administrative unit and with the same role, a reformat may not be necessary under the following circumstances:
- Computers that meet campus security standards for Level 1 data.
- Computers that do not meet campus security standards, but meet the following criteria:
- A personal identity information scan of all storage must be performed using Administrative Access.
- The original user’s profile must be securely erased.
- Any documents stored outside of the user profile area must be moved to a user profile.
- If a computer is being reassigned from one University employee to another University employee in a
different administrative unit, or to a computer laboratory, all storage must be wiped in accordance with
- If a working computer (or multi-function printer with internal storage) is being conveyed to the University Property Office for disposal off-campus, the storage device (hard drive) must be removed or wiped.
- Computers that are wiped prior to e-waste disposal should be clearly marked to indicate when they were wiped and by whom.
- The HSU property form must indicate whether the storage device was removed or wiped.
- Hard drives are not to be repurposed in different University computers unless the contents of the hard drive is formatted or wiped in accordance with campus standards (depending on the circumstances of the transfer).
- If a computer is being returned for maintenance service or warranty exchange, or trade in to a vendor, the drive must be removed or wiped in accordance with campus standards (e.g., even an operating system cannot be left on the drive). Note that most computer manufacturers' warranty agreements make the buyer responsible for removing all sensitive data from a computer before returning it for service. They do not take any responsibility for protecting that data.
- Failed hard drives containing data may not be returned to a vendor for maintenance service or warranty
exchange (wiping suffices for a hard drive to be deemed as not containing data). Most vendors at the time of sale, and for a price, allow the buyer the option to keep and destroy a failed hard drive instead of having to return it in order to get a replacement drive.
- Computers or other devices that contain storage media may be returned for service or warranty if a valid statement of confidentiality is on file with HSU contracts and procurement for the vendor.
- Maintenance and warranty with encryption: In cases where HSU-supported encryption is enabled, such drives may be returned for maintenance/warranty service.
- Hard drives, SSDs or other storage media, including floppy disks, DVDs, CDs, USB drives, and tapes that contain personally identifiable or confidential information, must be disposed of through the campus secure media destruction service, provided through the on-campus recycling program.
- Items or containers must be labeled “Confidential” and stored in a secure location prior to delivery to the campus e-waste secure media destruction service.
- The HSU Property Survey form for transfer of computers and equipment with electronic media must be used.
- Campus e-waste recycling may be contacted to arrange for pickup and storage of media that is not
tagged as state property. The proper form for e-waste recycling should be used to request this service.
- Shredding: Under State Civil Code 1798.80-82, paper documents containing personally identifiable or
confidential information can be shredded. Using standard office shredders is acceptable for documents
other than those that contain credit card numbers.
- Payment Card Industry Standards require that any document which contains credit card numbers utilize
cross cut shredding method.
- Apple Computer's built-in disk utilities provide options to zero out data (one-pass overwrite) as well as seven-pass and 35-pass overwrite options. Secure Hard Disk Eraser provides three-pass and 35-pass overwrite options for Intel-based and compatible computers.
- DBAN (Derik's Boot and Nuke), available free from http://dban.sourceforge.net, supports an unlimited number of passes, and has a specific military-grade option. Download instructions for using DBAN.
- A firmware-based purge option is included in most ATA disks manufactured after 2001 – see http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf for more information.
- HDDErase is a program developed by UCSD’s Center for Magnetic Recording Research that allows users to run the Secure Erase firmware from a CD or USB drive – see http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml for more information. Note that not all motherboards support HDDErase.
- Solid State Drive (SSDs): Current accepted methods of sanitizing HDD’s, such as multiple pass wipe and degaussing, are not effective for securely removing data from SSD’s. This is because of the data writing techniques employed by SSDs known as wear-leveling.
An effective way to make sure that data is unrecoverable from an SSD is to utilize encryption. Using full disk encryption has a two-fold effect: secure the contents of the drive and when it comes time to retire the drive the encryption key can be deleted leaving the data inaccessible.
AES-128 bit encryption software such as BitLocker or FileVault 2 can be used. (TrueCrypt is not an acceptable encryption tool for SSDs.)