My IT Director is asking me if their is any regulatory standard or industry standard for erasing data from old computer hard drives. It has been suggested we use a nail or drill a hole in the drive. But my co-worker would rather use software to erase/overwrite even if it takes multiple times. Does anyone have suggestions or simply what are you doing at your bank to ensure the customer information on old machines are properly disposed of?

Page 63 of the FFIEC InfoSec Handbook "Disposal".

www.killdisk.com as an example of overwrite software that i have used.

Thank you Anon #2!!!

We started to remove them and had a "hammer" party in the parking lot about once every six months. It was great fun and we use to pay a couple of bucks for a swing with the sledge and donated it to charity. A lot more fun than running a computer program.

Debians "boot-n-nuke" is a free linux utility that does a fab job in destroying data. 7 passes, exceeding military protocol for data destruction. Good stuff.

Sounds like nails, drills, and hammers ought to do it! Also, check out the new FACT Act disposal of consumer information rule on the FTC's website at <www.ftc.gov> (eff. 6/1/05) and the one issued by banking agencies (eff. 7/1/05).

go to harddrivedisposal.com you can have it destroyed for less than $20.00 Plus your shipping cost

Considering that you'd need to do vendor due diligence and perhaps look for some type of bond or guaranty, in most cases I think it would be more cost effective to drill or hammer it. While that pile of bits is impressive, it is overkill to make a disk not readable.

besides if someone REALLY wants to read the HD, there's a way. CIA uses electron microscopes, even a hammer and nail cannot hide the info. Makes it tough, but not impossible.

Quote:

---

CIA uses electron microscopes

---

Are you implying they can see the "0"s and "1"s with a microscope, or do you think that the writing on the disk is really small?

I used to be paranoid, but then I found out they really are after me. I even take the hard drives out of personal PCs I throw into the trash at home.

A poor way to recycle, throwing them in the trash. There are many hazardous materials in these which do not belong in landfills. I'd encourage you to wipe the data and or drill and smash the hard drive, then send it off to a qualifying recycle program.

Our facilities dept bought a $200 drill press for this. We forward our drives to them. They put a few 3/4 inch holes through the platters then toss them in a box. Once the box is filled they are picked up by a local electronics recycling shop.

We have bought a piece of hardware that degausses them and then smash it with a hammer.

To advertise, contact tobi@bankersonline.com

The standard most frequently used by information security experts in the US is DoD 5220.22-M National Industrial Security Program Operating Manual (NISPOM) January 1995 (http://www.usaid.gov/policy/ads/500/d522022m.pdf).

Page 58 lists acceptable methods of disposing of all types of electronic and magnetic media that may contain confidential information.

For hard drives, acceptable methods include:

a. Degauss with a Type I degausser
b. Degauss with a Type II degausser.
c. Overwrite all addressable locations with a single character.
d. Overwrite all addressable locations with a character, its complement, then a random character and verify. THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION.
e. Overwrite all addressable locations with a character, its complement, then a random character.
m. Destroy - Disintegrate, incinerate, pulverize, shred, or melt.

Simply drilling or punching holes in the hard drive or pounding on the hard drive with a hammer leaves a great deal of data still on the platters that can be read with the proper equipment. Shredding or melting the drive is the method thought to be the safest. If planning on sending the drive to be shredded, it should first be wiped using at least method d. above or degaussed.

An excellent tool for wiping the hard drive is ‘Darik’s Boot and Nuke’, an open source program that may be downloaded and used for free from the SourceForge project page (http://dban.sourceforge.net/).

While not bank hard drives, I recently disposed of some old PCs from the house. I removed the drives and too a sledgehammer to them. Reading much off them would have been VERY difficult as we didn't stop when the cases were open or the platters had the concrete driveway impression on them. While a good stress release, it would not be advisable for a lot of devices. It certainly narrows who would ever be able to get any info off them though.

While this is probably outdated to help: I dismantle the Hd and salvage the magnets, then destroy the platters either by drill press and physically warping, bench grinder, or all the above.
Great stress relief, time consuming, but the kids cant rip the magnets off the 'fridge at least.
Worked with a Degauser once, tested it on floppies. If you tried more then two at a time, the top of the stack was still readable.

I've never looked for magnets in there. They're strong?

Very. But I have found it varies per Mfg if you can believe that. I use them in the shop. Great stud finders also.