Secure Data Removal at NC State

Before attempting to surplus or dispose of any device or equipment containing sensitive data or software licensed to the university, security-compliance regulations require that you follow all relevant procedures on this page to fully erase or destroy all storage devices.

In addition to computer hard drives, such storage devices may include but are not limited to:

• Removable media
• Portable electronic devices
• Scanners
• Copiers

How Does this Help the Pack?

Meeting this requirement protects the university in many ways:

• Maintains data security:  University data remaining on surplus devices and other equipment risks exposure of sensitive data, which can lead to subsequent data breaches.
• Complies with multiple federal and state regulations.
• Fulfills software licensing agreements.

If you need assistance meeting this requirement, contact your local IT support personnel or asset management coordinator.

Secure Data Removal Procedures

Before deciding to surplus any equipment or device that might store sensitive data or software licensed to the university, you must complete the following procedure:

1. Fully erase storage devices (hard drive, flash, and so forth) or remove and destroy them.
   • Best Practice:  Erase all storage devices cryptographically.
   • When cryptographic erasure is not an option, see Other Acceptable Data-removal Procedures.
2. Remove any device or firmware password (for example, BIOS or UEFI) or device security measures such as a screen lock, PIN code, activation code, Touch ID, Face ID, and so forth.
3. Attach a label to the equipment signed by an NC State employee certifying the storage devices are erased or removed (per Step 1 above) and that all security passwords or device security measures are removed (per Step 2 above).

See Disposition of Property for details about how to prepare surplus labels.

Erasing Devices Cryptographically

Erasing storage devices cryptographically is the best practice for NC State; it does not require vendor-specific procedures and is available for all operating systems.

NOTE:  Some Network-attached Storage (NAS) devices, printers, and other embedded devices do not support cryptographic erasure. These typically require removing the storage device and erasing it using another system.

If the storage device that you need to erase does not support cryptographic erasure, see Other Acceptable Data-removal Procedures.

To erase a storage device cryptographically, do one of the following:

• Delete any encryption key that was stored automatically by a self-encrypting drive.  Some solid-state drives include this feature.
• Run full-disk encryption on the drive and then delete the encryption key manually.

See detailed instructions for your type of drive:

• Windows BitLocker
• Mac FileVault

Other Acceptable Data-removal Procedures

In the event that erasing data cryptographically is not an option, you can perform one of the following procedures instead:

• Erasing Hard Disk Drives
• Erasing Solid-State Drives
• Erasing Mobile Devices
• Erasing Other Devices
• Destroying Devices

Erasing Hard Disk Drives

Follow the instructions for your type of hard disk drive:

1. Hard disk erasing with Active@ KillDisk for PCs
2. Hard disk erasing for Macs
3. For Unix endpoints, see hardware vendor.

Erasing Solid-State Drives (SSDs)

Choose the appropriate option to erase a solid-state drive:

• If the Solid-State drive (SSD) manufacturer does not provide Secure Erase functionality, erase the drive cryptographically or destroy it.
• For SSDs with Secure Erase functionality, you must use the Secure Erase function from the drive-management software provided by the SSD manufacturer.

The following companies offer SSD management software:

• Corsair (Windows 8 only)
• Western Digital
• Crucial

For details on how to initiate Secure Erase, see the ATA Secure Erase commands as specified in the ATA storage specifications.

Erasing Mobile Devices

To erase all data from mobile devices, reset them.  

See the instructions for your device:

• Resetting Android devices
• Resetting iOS devices
• Resetting a Surface 2 or Surface RT tablet
• Resetting a Chromebook
• Resetting an Apple TV

NOTE:  See the SANS Disposing of Your Mobile Device website for additional information including how to erase SIM or external storage cards.

Erasing Other Devices

Follow this procedure for any other device that stores data, for example, copiers, printers, scanners, fax machines, set-top devices, TVs, and projectors.

1. Verify the device has an internal storage device.
2. If it contains a removable hard drive, remove the drive and process it per the Erasing Hard Disk Drives section.
3. For non-removable drives, follow the vendor’s data removal instructions.
4. If it has another type of storage, use the vendor’s recommended method for data removal.

Destroying Devices

Physical destruction is the last resort and includes the following options:  

• Mechanical shredders
• Degaussing (not viable for solid-state drives)

See KB0022419 for additional information for additional information.

CAUTION:  Due to the extensive use of sensitive data on server storage solutions and associated risks, which includes loss of confidentiality or information disclosure, server storage solutions must be physically destroyed to safeguard university data. For additional information on these university compliance obligations, see NIST 800-171 security control 3.8.3 (Sanitize or Destroy System Media) and NIST 800-88 for guidance on media sanitation.

Create the Verification Label

After erasing the hard disk, you must attach ou must attach a verification label to the computer equipment.

CAUTION:  Improperly labeled computer equipment will not be picked up for surplus.

Checklist for creating proper verification labels:

• Download Word or PDF labels:
  • Word format (Avery 5163 or 5963 labels)
  • PDF format (Avery 5163 or 5963 labels)
• Label must contain:
  • Checked boxes verifying all of the security measures have been removed
  • Printed name
  • Signature
  • Date
  • Serial number
• Make sure you include the serial number on both of the following:
  • Online AM Surplus Request form
  • Verification label attached to the equipment
• Print on any of the following:
  • Avery labels
  • Any 2″ x 4″ label
  • A plain sheet of paper taped to the equipment

Verification Responsibilities

It is the responsibility of NC State employees to verify that your computer equipment’s hard drive has been erased or removed. This responsibility cannot be given to external entities.

If You Need Additional Assistance

• For surplus procedures:
  Contact the Materials Management Surplus Property unit at 919.515.5525 or 919.515.9464.
• For proper erasing of hard disks:
  Send an email message to the NCSU Help Desk or call 919.515.HELP.