than choosing the right destruction equipment. What you do with old drives prior to destruction is just as important. Keep them in a secure loca- tion prior to destruction, or they could be long gone before you even know they are missing. And keep records. I strongly recommend instituting a comprehensive information-security program – written, mandatory proce- dures carried out by trusted, properly trained employees or a security service and supervised by management. Such procedures should include detailed re- cordkeeping and la- beling that states, for example, the serial number of each drive, the computer from which it was re- moved, the date it was removed, de- struction date and method(s) and a plan for in-house monitoring/veri- fi cation.
e right destruction at you do with old estruction is just as hem in a secure loca- uction, or they could e you even know they keep records.
ommend instituting a nformation-security n, mandatory proce- by trusted, properly a security service anagement. Such clude detailed re-
s or y m d inc a-
e f e
m - t -
d a e
Tools of the trade
This automatic hard-drive crusher has a conical punch to pierce drive casings and platters.
This automatic hard-drive crusher has a conical punch to pierce Thi tti h dd i h h i l h t i
When is a hard drive suffi ciently destroyed to prevent recovery of the confi dential/proprietary/sensitive data it once held? Let’s take a look at some choices for the safe removal of data: 1. Overwriting the drive: Disk-wiping software is used to replace stored data with a pattern of meaningless characters. I felt obligated to mention this method, but I do so with reservations. There are many versions of such software on the market, so it is important that the chosen version be compatible with the drive to be overwritten. One overwriting pass is not enough, so this method must be carried out by a trusted individual who is patient and careful and understands the process. 2. Degaussing: There are two major methods of degauss- ing. The fi rst method permanently erases data from a hard drive when it is passed through the magnetic fi elds of powerful rare-earth magnets. The second method uses a powerful electromechanical pulse that instantaneously generates a powerful magnetic fi eld to permanently erase data from a drive in an enclosed chamber. The degauss- ing device must have a high enough coercivity rating (magnetic power) to overcome the drive’s magnetic fi eld and completely erase its stored information. If it
of tim than o ing is e 3. Cru drives conica Good f relative ab A
Althou ble, s
its plat much
4. Shr rip dri Th
doesn’t, the whole process is a waste of time. Degaussing is more effective than overwriting, but here, too, train- ing is essential. 3. Crushing: This method subjects drives to extreme pressure from a conical steel punch or similar device. Good for a low volume of drives, these relatively inexpensive units are avail- able in manual and powered models. Although a deformed drive is inoper- able, some information residing on its platter could still be intact, albeit much harder to retrieve. 4. Shredding: Hard-drive shredders rip drives to randomly sized strips. The process is much the same as in a paper shredder, but these machines are more robust and capable of de- stroying multiple types and sizes of drives. Some data could be retrieved from the shreds by a determined thief, but with great diffi culty. 5. Disintegration: Mechanical incin- eration by a heavy-duty disintegrator (rotary knife mill) cuts items into smaller and smaller pieces until they are unrecognizable. For hard drives, this is typically done after shredding.
T e pr paper are m stroyin drives from t but w 5. Dis eratio (rotar sma they d
While all of these methods can
be effective, I favor a two-stage approach that combines degaussing with crushing or shredding. For the ultimate, choose degaussing, followed by shredding, followed by disintegration.
A certifi cate of destruction does not free you from your legal responsibility. If a destruction contractor certifi es that your confi dential data was destroyed, yet the data resurfaces somehow, you are still liable for damages suffered by the injured parties.
The outsourcing option
Degaussers, shredders and disintegrators all come in dif- ferent sizes and capacities. While some of these units are relatively inexpensive ($1,000 to $5,000), others could run as high as $50,000. For some businesses, the investment is worth the peace of mind that comes from knowing sensi-
HEALTH MANAGEMENT TECHNOLOGY October 2011 17