An important and often overlooked part of the information life
cycle involves proper destruction. When information is no longer
needed, or has reached the end of its retention period, you must
properly dispose of it. For many types of information, simply
deleting it is sufficient. However, you must securely dispose of
regulated private data.
When deleting regulated private data from your computer,
it’s important that you use a secure deletion
utility. These utilities complete delete the information from
your computer (simply hitting “empty trash” is not
enough) If you have any questions about how to obtain and use an
appropriate secure deletion utility for your computer, contact your
IT support or the Information Security Office.
When disposing of CDs, DVDs, paper and other media that contains
regulated private data, you must shred it before recycling it. For
small amounts of media, a standard cross cut office shredder is
recommended. For large amounts of media, we recommend contacting Shred-It.
When disposing of old equipment that was used to work with
regulated private data, you must either completely wipe the
equipment’s drives using DBAN (if the equipment is being
classified as surplus) or you must ask the recycler to destroy the
drives (if the equipment is being classified as scrap). Your IT
support should be consulted when disposing of old equipment.
Either securely erase the drive or, if not possible, ask your
local IT support to remove the drive. You can then surplus the
equipment and scrap the drive.
If you do not need certification of drive destruction,
University Facilities can have the drive destroyed as part of the
normal recycling (scrap) process. Be sure to specifically ask for
drive destruction. If you need certification of destruction, the UB
IT community recommends using Shred-It.
Many multi-function office printers now come with hard drives
that can store documents. This makes the printer more convenient to
use, but can also expose the university to considerable risk if the
drive is not securely disposed of– your scanned, printed and
faxed documents may still be recoverable. If possible, your printer
should be configured to securely delete documents from its internal
hard drive; consult your local IT support on how to turn this on.
When disposing of your multi-function printer, if you’re
unable to determine if all documents were securely deleted from it,
you must ask the vendor performing the disposal to certify in
writing (a receipt) that the drive has been destroyed.
Each of the following links contains documentation on how to
wipe the hard drive of a printing device by manufacturer. Some
manufacturers provide a feature whereby the printer will
continuously or periodically wipe its hard drive; you should enable
this feature when available.
Also, the EDUCAUSE & Internet2 Higher Education Information
Security Council (HEISC) has gathered resources on this topic and
developed a list of steps to take when trying to secure
a copier, printer, or other multi-function device.