• Antivirus

  -Computer Associates
  -McAfee Updates
  -McAfee Virus Library
  -Symantec Security Check
  -Trend Micro
  
  

• Policies
  

  -Guide to Computing Resources
  -Information Technology Resources
  -Data Management & Computer Security
  -Confidential Records Policy
  -Wireless Communication Policy
  -Safeguarding Confidential Info

• Assess My Department
  

  -Physical Security
  -Account & Password Management
  -Virus Protection
  -Data Backup & Recovery
  -Operating Systems
  -Application Software
  -Confidentiality of Sensitive Data
  -Disaster Recovery
  -Security Awareness & Education
  -Security Checklist

• FSU Security Links
  

  -Counter Terrorism Research
  -Counter Terrorism Information
  -NSA Scolarship
  -Med School
  -University Police
  -Emergency Management Plan
  
  

• Other Links
  

  -SPAM
  -SSL
  -Sans Top 20 Vulnerabilities

• Policies/Guidelines

  -Guide to Computing Resources
  -Information Technology Resources
  -Data Management & Computer Security
  -Confidential Records Policy
  -Wireless Communication Policy
  -Safeguarding Confidential Info
  -Information Technology Disaster Recovery and Data Backup Policy
  -Network Access and Use Policy
  -Primary Identifier Policy

• OTI

  -Integrated Technology
  -Strategic Planning
  -OTI Directory

• UCS

  -Public Computer Labs
  -Technology Enhanced Classrooms

• IS

  - Data Services

• IRM

  -Security
  
  

Data Cleansing for Surplus or Resale:
Protecting Confidential Information and Preventing Identity Theft

Procedures for Cleaning of Electronic Media with Confidential/Sensitive Information Prior to Transfer/Disposal

OVERVIEW
Florida State University generates, receives, and stores documents and records of a confidential/sensitive nature on electronic devices.  Additionally, network devices such as firewalls, routers, and switches are configured with settings which should be protected to preserve the security and availability of network communications.  Memory devices include, but are not limited to, internal and external hard/flash drives, USB data keys, flash memory in network communications devices, recordable CD’s and  DVD’s, floppy disks, and data tapes. 
It is incumbent for all University personnel responsible for surplus, warranty work, or disposal of this media to ensure confidential/sensitive information is wiped/destroyed prior to transfer or disposal.  Failure to follow the suggested methods of sanitizing these devices increases the potential danger that individuals' confidential information can be obtained and misused for illicit purposes such as identity theft; fraud; and wrongful access to network and firewall configurations. Therefore, for the protection of all members of the University community-faculty, staff, students, donors, etc.-and for the protection of the University as an institution of higher education, offices, divisions, colleges, schools, departments, centers, and institutes should enact procedures to ensure confidential/sensitive information is rendered unreadable prior to transferring or disposal.

DEFINITIONS of CONFIDENTIAL/SENSITIVE INFORMATION
Those containing any or all of the following information:

• Anything containing a social security number.
• Anything containing a name and date of birth.
• Anything containing a credit card number or FSUCard number.
• Academic information regarding students identified by name and/or social security number. This includes, but is not limited to: graded exams, term papers, transcripts, class rosters, and student/team projects.
• Other information regarding students, including, but not limited to: records of disciplinary proceedings, housing records, membership in student organizations if social security numbers are used.
• Faculty, A&P, USPS, and OPS personnel records.
• Medical records.
• Any other information considered confidential in accordance with the provisions of the Federal Educational Right to Privacy Act (Buckley Amendment), 20 USC, Section 1232, and above-referenced Florida Statutes and Florida Administrative Code.
• Network firewall rulesets
• Network device security and configuration tables

SUGGESTED DATA CLEANSING PROCEDURES
The IT Security Team recommends four methods of wiping data storage devices prior to releasing the University data processing equipment for surplus or warranty work:

• Flash the memory in firewalls, routers, wireless access points, switches, etc. to the default configurations.
• Use of a magnetic degausser meeting Department of Defense degaussing requirements. 
• Physical destruction is the best method to process disk drives, tapes, CD’s, and DVD’s containing confidential/sensitive information.  For example, hard drives can be made unusable by disintegrating, drilling, pulverizing, or melting.  Media destruction may be the only option for damaged disk drives still under warranty that cannot be wiped using a software application.  You may be able to negotiate a method to destroy the media and provide your vendor with a similar drive that has been wiped for warranty exchanges.  However, damaged drives should not be returned to the vendor that cannot be wiped of confidential/sensitive information regardless of any exchange plans.    
• Overwriting the hard drive's data so the data cannot be recovered will constitute the most common method you will use to clean media.  This process cleanses the data on the hard drive by overwriting the data with other data so the original data cannot be recovered.  Department of Defense standards recommend this process of overwriting data be done multiple times.  *Software applications to accomplish this task include:
  • Active@Killdisk Hard Drive Eraser
    Platforms: DOS, Windows 95/98, Windows NT/2000/XP, Linux, Unix for PC (free and licensed versions available at  http://www.killdisk.com/eraser.htm)
    
• East-Tec Eraser 2004 by EAST Technologies
  Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
  Relevant URL: http://www.east-tec.com/eraser/index.htm
  
• Secure Hard Disk Eraser http://www.linux-kurser.dk/secure_harddisk_eraser.html
  
• Darik's Boot and Nuke (DBAN) http://dban.sourceforge.net/
  
• Apple offer a Disk Utility, which comes free with OS X (in Applications > Utilities) giving you two options: to erase a disk by writing zeros over the entire disk, or to erase with an "8-way-random" process, which writes random data 8 times over the entire disk.

POLICY REFERENCES

OP-F-6   DESTRUCTION/SHREDDING OF CONFIDENTIAL DOCUMENTS AND RECORDS

OP-F-7   POLICY ON SAFEGUARDING OF CONFIDENTIAL FINANCIAL AND PERSONAL INFORMATION

OP-H-9   INFORMATION TECHNOLOGY SECURITY

OTHER REFERENCES

DoD 5220.22-M, "National Industrial Security Program Operating Manual"

NIST Guidelines for Media Sanitization

*FSU/OTI/UCS does not endorse or support any product listed on this website. They are not responsible for data lost by using one of these programs. Install at your own risk.