Data Security Tips for CIOs: Wiping the Hard Drive

Security issues are on the minds of all CIOs these days. Whether the CIO of a 1,300-student liberal-arts college or that of a 13,000-employee Fortune 100 company, never before has the issue of data security been more important. Besides a record-breaking year of data breaches, legislation such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA mandates new security protocols that must be followed or violators face severe penalties.

At Catawba College, network, computer and information security concerns have been a major focus of our information technology work for the past several years, as evidenced by our campus-wide 802.1x network authentication and our CatNet Connect process to clean and secure student computers before allowing them to connect to the residence hall network.

As we faced the prospect of a hardware refresh for about 500 personal computers on campus, it was only natural for us to be concerned about how to dispose of the outgoing equipment in a secure and environmentally friendly way. For the environment’s sake—and to benefit the community—we decided to donate our used equipment to a local organization that trains middle school and high school students to refurbish computers, which are then donated to needy families. From an information security perspective, it was essential that we ensure all confidential data was completely eliminated from the hard drives in a manner that would preserve the drives. (also read Is Your Hard Drive Data Really Gone?)

As we investigated ways to completely remove the data from hard drives in a nondestructive manner, we immediately eliminated two options—degaussing and mechanical destruction—because both failed to meet our reusability criteria. The magnetism of degaussers destroys the read/write head, rendering the hard drive inoperable. And mechanical destruction is very harmful to the environment because it requires drives to be ground into tiny pieces, releasing a variety of toxic chemicals.

Although they passed the reusability test, the software overwrite methods we had traditionally been using to clear hard drives fell short in some key areas. First, these methods are labor-intensive and very time-consuming. A typical 120GB hard-drive triple-overwrite process can take four hours or longer to complete and the process must be physically monitored for security purposes. Second, these methods lacked the level of automated logging that we required. For information security and auditing purposes, it was imperative that the hard-drive sanitization procedure be completely documented, without exception, and without the possibility for error.

Ultimately, we chose the Digital Shredder, from Ensconce Data Technology. The Digital Shredder is about the size of an average suitcase, has a familiar touch-screen interface and accommodates up to three hard drives. It sanitizes drives by activating the Secure Erase technology built into the hard drives by the manufacturer.

Secure Erase is a very fast method of nondestructive drive sanitization. It is defined by NIST SP 800-88 as “purge” technology and is recommended as the best nondestructive method available for sanitizing hard-drive data. Security measures include three independently locking hard-drive bays, as well as detailed audit logs. And printed certification labels are produced automatically upon a successful sanitization, which provides an easy way to inventory and track our drives. And the Digital Shredder’s reformatting and image capability allows our IT staff to quickly and easily apply the standard software install to machines when receiving new hard drives or redeploying hard drives throughout the network.

Although our major technology refresh is now behind us, the many lessons we learned during the process have paid numerous dividends, including piece of mind for data security and the satisfaction of doing our part in helping others, as well as protecting the environment.

Joanna Jasper, CIO, directs the information technology programs at Catawba College in North Carolina. Previously, Jasper was an assistant director of business computing at Wake Forest University and a senior software engineer for a higher-education enterprise resource planning software vendor.