This is an amalgamated reply to multiple posts. I'm speaking mainly to DoD/DSS/NISP standards here, since that's what I'm familiar with. Such won't necessarily translate to PCI requirements, although private industry often follows DoD's lead here.
On Mon, Dec 29, 2008 at 9:58 AM, Erik Goldoff <[email protected]> wrote: > Not sure if you intend to reuse, donate, or sell the old hard drives ... I've been told that degaussing a modern hard drive effectively renders it inoperable anyway. Something about the track information recorded at the factory, or some such thing. If they're following DoD DSS standards (I'm not saying they are or should, but if they are), degaussing also has to be done on each platter individually, removing them from the disk housing. It's a fair bet that causes irrecoverable damage. :) > Secure erase *used* to be good enough for PCI compliance if DOD standards > were used ... DoD standards were actually changed in late 2007, such that software methods were no longer acceptable. Degauss or physical destruction are the only acceptable methods. <pure speculation>That may be what's driving this change.</pure speculation> On Mon, Dec 29, 2008 at 10:08 AM, Phillip Partipilo <[email protected]> wrote: > Dunno about the DoD but DSS and ODAA have some pretty explicit guides, one > excellent one which is here; > > https://www.dss.mil/GW/ShowBinary/DSS/isp/odaa/documents/odaa_process_guide_revised050908.pdf FWIW, ISL 2007-01 (last article) contradicts the ODAA Process Guide. I've yet to receive clarification on which document controls. https://www.dss.mil/GW/ShowBinary/DSS/about_dss/press_room/2007/isl_2007_01_oct_11_2007_final_agreement.pdf > It's a shame DIAF is not included though :( For DoD, I believe heating is acceptable, provided the disk platter goes through a phase change (liquidation or vaporization). Not sure about the Curie point. On Mon, Dec 29, 2008 at 11:36 AM, <[email protected]> wrote: > How does one do this (physical destruction)? I keep reading "shredder", > but that sounds like a pretty special machine as well. There are industrial shredders which can chew up computers pretty easily. Relatively common stuff; many scrapyards will have one. However, many data destruction standards require the shreds be smaller than some size, use approved equipment, etc., so just chucking it into some random shredder may not be sufficient. FWIW, I don't think DoD/DSS accepts conventional shredding for magnetic media anymore; the information density is so high with modern stuff that even a tiny fragment is a concern to them. But that's a case where I believe DoD spec is way overkill for business needs. For regular business stuff (outside of DoD care), I DBAN if possible, then cut them into two pieces (through the spindle) with the nifty metal saw the maintenance department has. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
