Stanford policy and guidelines outline the computer security precautions that must be taken to protect High Risk Data against unauthorized access. Care must also be taken when it comes time to dispose of computing equipment which has been used to store this non-public data.
Computing equipment disposal
When you need to dispose of excess computing equipment which has been used to store non-public data:
- Delete all files that contain non-public data
- Department Property Administrator (DPA) requests disposal through the usual processes
- Non-bar coded computers may be "bundled" up to 20 per request (separate desktops and laptops, please)
- Place the computer(s) in a secure location for collection [unattended docks or hallways are not appropriate collection locations]
- If the location is locked, please indicate that on the request, and include contact phone number
Surplus Property Sales, an auxiliary within the Property Management Office, will collect all computers via the existing excess equipment process and sanitize or remove the drive for you, free of charge. They will then process them appropriately for either resale or recycling following EPA and California DTSC approved methods.
This does not absolve departments from the responsibility of ensuring that "non-public" Stanford data is removed from the system. Non-public files should be deleted before requesting the computer be collected for disposal. This should also be done prior to transferring a computer from one user to another within Stanford. Please see the Information Security Office website for details: http://dataclass.stanford.edu
The safeguarding of non-public data is a high priority for Stanford, and the responsibility for ensuring this remains with the user of an individual system, including the deletion of files deemed to be non-public in nature. While Surplus Property Sales will take the necessary precautions to protect the collected computers and process hard drives according to requirements, it does not take responsibility for the failure of users to remove such data prior to collection.
Wipe disks clean
One of the easiest ways to make sure you've removed all critical data from a disk is to remove 100% of the files from a disk. Consider the use of DBAN: Darik's Boot and Nuke Disk Destruction Tool for this. It's just one click away.
Transfer or repurposing of computing equipment
If computing equipment has been used to store High Risk Data and needs to be transferred or repurposed, its disks can be sanitized and the computing equipment can be re-purposed. Data sanitization is the process of deliberately, permanently, irreversibly removing or destroying the data stored on a memory device. ISO recommends DBAN, a free program for disk sanitization. You can download and run DBAN yourself, contact ORA for a copy of it, or contact CRC to run it for you. If you would like to use another sanitization method, contact the ISO for further guidance.