Data Sanitization

Data sanitization is the process of irreversibly removing or destroying data stored on a memory device (hard drives, flash memory / SSDs, mobile devices, CDs, and DVDs, etc.) or in hard copy form. It is important to use the proper technique to ensure that all data is purged. Our guidance below is derived from NIST SP 800-88 Rev. 1 (PDF): Guidelines for Media Sanitization.

Policy

The policies below define baseline controls for the sanitization and disposal of university data:

Device Transfer Within Stanford

Device Transfer Between Organizations

All Low, Moderate, High Risk Data stored on the device must be sanitized when a device is transferred between organizations. Please follow the Data Sanitization Guidelines below.

Device Disposal or Device Transfer Off-Campus

Device Disposal or Device Transfer Off-Campus

If a device is to be disposed of or transferred to a party outside of the University, the device owner or local property administrator must sanitize or remove and physically destroy all device storage regardless if the device is known to contain any High, Moderate, or Low Risk Data. Local property administrators should be prepared to either sanitize or destroy the disk themselves according to the Data Sanitization Guidelines below (and keep a record of the activity) or contact the Information Security Office for assistance.

Personally Owned Devices Leaving the University

Personally Owned Devices Leaving the University

All High, Moderate, or Low Risk Data stored on the device must be sanitized according to the Data Sanitization Guidelines below.

Data Sanitization Guidelines

Mobile Devices

iOS: Apple iPhone and iPad	Select 'Settings > General > Reset > Erase All Content and Settings' menu. “Erase all content and settings” option in Settings destroys all of the encryption keys in Effaceable Storage, thereby rendering all user data on the device cryptographically inaccessible. Important: Do not use the “Erase all content and settings” option until the device has been backed up, as there is no way to recover the erased data. Refer to Apple's iOS Security Guide for more detailed information.
Android OS	Perform a factory reset through the device's settings menu. For example, on Samsung Galaxy S5 running Android 4.4.2, select settings, then under User and Backup, select Backup and reset, then select Factory data reset. Refer to Google's Android documentation for more detailed information.
Windows Phone OSA7.1/8/8.x	In the App list, tap Settings () Tap About, and then tap Reset your phone. You'll receive two warnings. If you're absolutely sure you want to restore your phone to its factory settings, tap Yes, and then tap Yes again. It might take a little while for the process to complete. Please note that after the process is completed, all of your personal content will disappear.
Other devices	Manually delete all information, then perform a full manufacturer's reset to reset the mobile device to factory state. Refer to device manual for more detailed instructions.

Individual File*

* See Flash Memory section below for special requirements pertaining to solid state memory / SSD.

Mac OS X	On Mac OS X prior to version 10.11: Use Secure Empty Trash. On 10.11+: Secure Empty Trash has been deprecated due to the increased prevalence of SSDs on Macs (see below). There is no replacement equivalent functionality. Make sure your Mac is whole disk encrypted.
Windows	Use SDelete: https://technet.microsoft.com/en-us/sysinternals/bb897443.aspx
Linux	Use Shred: https://linux.die.net/man/1/shred

Flash Memory

Flash memory-based storage devices, or Solid State Drives (SSDs), have become prevalent due to falling costs, higher performance, and shock resistance. Because flash memory operates fundamentally differently from magnetic media, overwriting does not necessarily clear all of the data. For the proper sanitization of flash memory, invoking special data purge commands built into the SSD hardware is the best approach.

ATA Solid State Drives (SSDs) (including PATA, SATA, eSATA, and SCSI)	Ensure that TRIM is enabled on the drive and in the operating system, then delete all files and folders: Mac OS X: http://www.mactrast.com/2013/11/enable-trim-ssds-os-x-mavericks Windows: Open a command prompt and run the following command: “fsutil behavior query disabledeletenotify” “DisableDeleteNotify = 0” means that Windows TRIM commands are enabled. “DisableDeleteNotify = 1” means that Windows TRIM commands are disabled. To enable, run: "fsutil behavior set disabledeletenotify 0" For more information on TRIM, see http://articles.forensicfocus.com/2014/09/23/recovering-evidence-from-ssd-drives-in-2014-understanding-trim-garbage-collection-and-exclusions/ AND Overwrite the full drive with at least two write passes to include a pattern in the first pass and its complement in the second pass. Verify that the data was overwritten. Recommended product: BCWipe and/or Physically shred the drive such that the resulting particles have a maximum edge length of 2 mm and a maximum surface area of 4 mm².
USB Removable Media and Memory Cards	Overwrite the full drive/card with at least two write passes to include a pattern in the first pass and its complement in the second pass. Verify that the data was overwritten. Recommended product: BCWipe and/or Physically shred the drive such that the resulting particles have a maximum edge length of 2 mm and a maximum surface area of 4 mm².

Magnetic Media

Magnetic disks (including floppy disks, ATA and SCSI hard disk drives)	Overwrite the full drive with at least a single write pass using a fixed data value (such as all zeros). Multiple write passes and more complex values may optionally be used. Verify that the data was overwritten. Recommended product: BCWipe and/or Degauss with a National Security Agency (NSA) approved degausser. Note that degaussing magnetic disks renders them permanently unusable. and/or Physically shred the disk platters such that the resulting particles have a maximum edge length of 20 mm and a maximum surface area of 400 mm². and/or Incinerate the disk platters by burning in a licensed incinerator.

Optical Media

CD, DVD, Blu-ray Disc	Physically shred the optical media such that the resulting particles have a maximum edge length of 0.5 mm and a maximum surface area of 0.25 mm². and/or Incinerate the optical media (i.e., reduce to ash) using a licensed facility.

Hard Copy Storage

Paper	Shred paper documents using a cross cut shredder that produces particles no larger than 1 mm x 5 mm. or Pulverize/disintegrate paper documents using a disintegrator device equipped with a 2.4 mm (or smaller) security screen.

For guidance on other media not listed above, please refer to NIST SP 800-88 Rev. 1 ("Guidelines for Media Sanitization") and the manufacturer manuals for appropriate data sanitation techniques, commands, and tools.

Validate

The validation step in the data sanitization process involves testing the device/media to ensure the information cannot be read.

Document

During the data sanitization process, be sure to document the following information for your own records.

Manufacturer
Model
Serial Number
Property Number
Media Type
Media Source
Pre-sanitization confidentiality categorization
Sanitization description
Method used
Tool used
Verification
Method
Post-sanitization destination
Name of Person, Date, Location, Contact Information, Signature

On this page: