UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data. The recommendations below are provided as optional guidance to assist with achieving the Secure File Deletion requirement.
Requirement
Resource Custodians must ensure that any systems (laptops, workstations, and servers) and devices (smartphones, USB drives) storing covered data must be securely overwritten or wiped using an approved secure file deletion utility upon decommission of the device to ensure that the information cannot be recovered. For those devices that cannot be overwritten (defective hard drives, CDs/DVDs), Resource Custodians must ensure the device is destroyed prior to disposal.
Description of Risk
Storage media are prone to physical theft and loss. Unauthorized parties can acquire unencrypted data stored on the device.
Recommendations
During a covered device’s lifecycle, it may need to be retired for various reasons such as upgrades, migration or project closing. To avoid covered data remnants from being accessed by unauthorized parties in legacy covered devices, follow the recommendations below to delete covered data before retiring the covered device.
Sanitization prior to device reuse:
- Delete data using secure software to overwrite data multiple times. Compliant delete options include DoD 3 pass overwrite standard (DoD 5220.22-M) and Secure Erase.
- Where possible, sanitize entire hard disk instead of just deleting data files and folders.
Below are list of recommended software tools for disk and file deletion. Use disk deletion tools when you need to erase the content of an entire disk drive, such as when you are retiring a disk drive, or the computer itself. Or you want to repurpose your computer by re-installing/upgrading your operating system. Use file deletion if you want to continue to use the computer as-is, but want to delete specific files or folders containing covered data.
|
Disk Deletion Tool |
Windows |
Mac OS X |
Linux |
Description |
|---|---|---|---|---|
|
x |
x |
Free boot time software run from bootable CDs and USB drives |
||
|
x |
x |
Free boot time software run from bootable CDs and USB drives |
||
|
x |
Built-in OS X tool that can be run from Apple recovery DVD disk to erase entire disks |
|||
|
File Deletion Tool |
Windows |
Mac OS X |
Linux |
Description |
|
x |
x |
x |
Commercial software |
|
|
x |
Free Windows based file deletion tool |
|||
|
x |
x |
Commercial software that's licensed by UC Berkeley |
||
|
x |
Built-in OS X tool for securely deleting files and folders from Finder |
|||
|
x |
x |
Built-in command line tool for securely deleting files and folders |
*Mac OS X 10.11 (El Capitan) removed the option for Secure Empty Trash. For 10.11 users, please follow these instructions(link is external) as an alternative to secure deletion.
Solid State Hard Drives (SSD), Flash Drives and SD Cards
Secure deletion tools do not work on flash based hard drives such as SSD and SD cards. For users needing to erase files on flash based hard drives, Full Disk Encryption can adequately mitigate the risk of data exposure. Please see Electronic Frontier Foundation (EFF) page for further discussion on this topic.
Sanitization prior to device disposal:
- Physically remove storage media (e.g. hard disk, CDs, USB keys, etc) and shred the storage media following NIST Guideline for Media Sanitization (Appendix A).