Computer Equipment Transfer and Disposal Guidelines
Information Security Office - December, 2009
On this page:
Stanford policy and guidelines outline the computer security precautions which must be taken to protect Prohibited and Restricted information against unauthorized access. Care must also be taken when it comes time to dispose of computing equipment which has been used to store this non-public data.
Computing Equipment Disposal
When you need to dispose of excess computing equipment which has been used to store
- Delete all files that contain non-public data
- Department Property Administrator (DPA) requests disposal through the usual processes
- Non-bar coded computers may be "bundled" up to 20 per request (separate desktops and laptops, please)
- Place the computer(s) in a secure location for collection [unattended docks or hallways are not appropriate collection locations]
- If the location is locked, please indicate that on the request, and include contact phone number
This does not absolve departments from the responsibility of ensuring that "non-public" Stanford data is removed from the system. Non-public files should be deleted before requesting the computer be collected for disposal. This should also be done prior to transferring a computer from one user to another within Stanford. Please see the Information Security Office web
site for details:
The safeguarding of non-public data is a high priority for Stanford, and the responsibility for ensuring this remains with the user of an individual system, including the deletion of files deemed to be non-public in nature. While Surplus Property Sales will take the necessary precautions to protect the collected computers and process hard drives according to requirements, it does not take responsibility for the failure of users to remove such data prior to collection.
Wiping Disks Clean
One of the easiest ways to make sure you've removed all critical data from a disk is to remove 100% of the files from a disk. Consider the use of DBAN: Darik's Boot and Nuke Disk Destruction Tool for this. It's just one click away.
Transfer or Repurposing of Computing Equipment
If computing equipment has been used to store Prohibited or Restricted information and needs to be transferred or repurposed, its disks can be sanitized and the computing equipment can be re-purposed. Data sanitization is the process of deliberately, permanently, irreversibly removing or destroying the data stored on a memory device. ISO recommends DBAN, a free program for disk sanitization. You can download and run DBAN yourself, contact ORA for a copy of it, or contact CRC to run it for you. If you would like to use another sanitization method, contact the ISO for further guidance.