Educause Security Discussion mailing list archives

Re: hard drive destruction

From: Jim Dillon <Jim.Dillon () CUSYS EDU>
Date: Thu, 10 Aug 2006 12:25:31 -0600

Sensitive info by definition has more value than any hard drive.  At
worst a killdisk wipe or heavy degaussing will occur to all drives
managed through our property services.  The unfortunate truth is that
there is little control over this throughout the populace, and I'm sure
sensitive data goes out.  We're working that end.
 
The actually costs in fines alone of another sensitive data breach here
could reach $1M and climb to >$10M depending, and I don't think that
justifies returning the drive.  We are finding and encouraging the
purchasing of computers from DELL or Gateway with the option to not
return the drive.  An extra $15 up front, but it keeps the warranty
safe.
 
Best regards,
 
Jim
 
*****************************************
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon () cusys edu
303-492-9734
*****************************************
 
 
 

________________________________

From: Michael Fox [mailto:Mfox () GEORGIASOUTHERN EDU] 
Sent: Thursday, August 10, 2006 8:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] hard drive destruction


I am working on policy and procedures for hard drive wipe/destruction. I
have most of what I need for my procedures but I have hit one sticking
point. I would like to get some input as to how others have handled this
issue. 
 
The issue: if a hard drive that is under warranty fails most technicians
will contact the vendor, get a replacement drive and send the "bad"
drive back to the vendor. If there is sensitive information on that
drive (worst case scenario always) the vendor now has access to that
data and/or worse yet they repair the drive and sell it to someone else.
 
 What do you folks do with this kind of scenario?
 
Any information will be a great help.
 
Thanks in advance,
Mike
 
 
Mike Fox
Georgia Southern University
Information Technology Services
Office of Information Security
mfox () georgiasouthern edu
(912)871-1592

Jeremiah 29:11-16
 
NOTE: This email message is intended only for the named recipient(s)
above
and may contain information that is privileged, confidential, and or
exempt
from disclosure under applicable law. If you have received this message
in
error, or are not the named recipient(s), please immediately contact the
sender and delete this email message.

Current thread:

hard drive destruction Michael Fox (Aug 10)
- <Possible follow-ups>
- Re: hard drive destruction Tony Gauvin (Aug 10)
- Re: hard drive destruction Les LaCroix (Aug 10)
- Re: hard drive destruction Roy Hatcher (Aug 10)
- Re: hard drive destruction Mark T. Nardone (Aug 10)
- Re: hard drive destruction Pace, Guy (Aug 10)
- Re: hard drive destruction Barnes, Jeff (Aug 10)
- Re: hard drive destruction Jim Dillon (Aug 10)