IT Security Procedure Document

Data Disposal Procedure

Document Classification: Internal

Title: Data Disposal Procedure Document Code: IS_PROC_012

Author: Sanil Nadkarni Release Date: 17/03/2015

Reviewed by: Milind Wairkar Version: 6.0

Approved by: Anand Krishnamoorthy Next Review Date: February 2016

 Data Disposal Procedure

Table of Contents

1. INTRODUCTION .........................................................................................................................................................4
1.1. Overview ............................................................................................................................................................ 4
1.2. Scope ................................................................................................................................................................. 4
2. DETAILED PROCEDURES ..............................................................................................................................................4
2.1. HDD to be reused within the organisation ........................................................................................................ 4
2.2. HDD to be Discarded.......................................................................................................................................... 6
2.3. Data needs to be recovered from external Party .............................................................................................. 6
2.4. Wiping Data from USB Drives. ........................................................................................................................... 7
2.5. Disposing CD/DVD ........................................................................................................................................... 10

ver 6.0 Page 2 of 10 Internal

 Data Disposal Procedure

Document Control

Change Record

Delivery Date Author Version Change Details

11/01/08 Kiran Nair 1.0 New Document
29/05/09 Kiran Nair 2.0 Ref: COS changed to Capita India
2-Sep-10 Kiran Nair 3.0 Added section # Disposing Printer HDD
09-Jan-12 Sanil Nadkarni 4.0 Annual review
09-Nov-12 Sanil Nadkarni 4.0 Annual review
“Publish Date” is changed to “Release Date”

14/06/2013 Akshata Thakur 5.0 Added new field “Next Review Date”

Added reference to Ventura India.

11/08/2014 Akshata Thakur 6.0 Annual review, No change
20/2/2015 Sanil Nadkarni 6.0 Annual review no changes

Approval Sign-off

Name Role Date

Prasad Kamath Senior Manager: InfoSec & BCP 11/01/08

Prasad Kamath Sr. Manager – Risk management 29/05/09
Nilanjan Ghosh Head – Risk & Compliance 02/09/2011
Anand Krishnamoorthy Director - Risk & Compliance 09/01/2012
Anand Krishnamoorthy Director - Risk & Compliance 23/11/2012
Anand Krishnamoorthy Director - Risk & Compliance 06/08/2013
Anand Krishnamoorthy Director - Risk & Compliance 30/09/2014
Anand Krishnamoorthy Director - Risk & Compliance 12/03/2015

ver 6.0 Page 3 of 10 Internal

 Data Disposal Procedure

1. Introduction

1.1. Overview

Utilities such as FORMAT only create new FAT and ROOT tables, leaving all previous data on the disk intact and
recoverable. Moreover, an image of the replaced FAT and ROOT tables is stored, so that the UNFORMAT command can
be used to restore them. Other utilities such as FDISK merely clean the Partition Table (located in the drive's first
sector) and do not clean or erase anything else.

The Disposal and Destruction policies of Capita mandates that all information must be destroyed or disposed of from
external or common storage media, when no longer needed. By external or common storage media we mean
CD/DVD/USB and hard drives of pool laptops. Further, this policy is also applicable when desktops are assigned to
different users.

This document describes procedures for sanitizing various types of data storage media.

1.2. Scope

This procedure is applicable to all equipment that is owned or leased by Capita India or in charge, possession, custody
or control of the Capita India.
All the references to Capita India Pvt. Ltd. should include Ventura India Pvt. Ltd. as well.

2. Detailed Procedures

Below mentioned are distinct types of scenarios to Handle Media Disposal

1. HDD used for other person within the organization

2. HDD to be sold or Discarded.
3. Data needs to be recovered from external Party
4. Wiping Data from USB Drives
5. Cd-ROMs that need to be destroyed
6. Laptops sent out of office for repairs

2.1. HDD to be reused within the organisation

To achieve this objective a Hard Disk Data wiping Application shall be used.

Darik's Boot and Nuke ("DBAN") is a self-contained boot floppy that securely wipes the hard disks of most computers.
DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an
appropriate utility for bulk or emergency data destruction.

DBAN is a means of ensuring due diligence in computer recycling, a way of preventing identity theft if you want to sell a
computer, and a good way to totally clean a Microsoft Windows installation of viruses and spyware. DBAN prevents or
thoroughly hinders all known techniques of hard disk forensic analysis.

The DBAN application will overwrite all addressable storage and indexing locations on the drive with zeros and/or
random data for each single pass. For this reason, the overwriting software should be used with caution as data is
erased completely without possibility of recovery.
The data can be sanitised by following the instructions below:

ver 6.0 Page 4 of 10 Internal

 Data Disposal Procedure

a. Obtain a bootable floppy disk/USB key containing the DBAN application from IT-Operations Team.
b. With the PC power off, insert the bootable DBAN USB key.
c. Start the PC by turning on the power. Select the USB as the 1 Boot option in the BIOS; and you should see the
st

following screen.

d. Press [Enter] to start.

e. Using the keyboard J (up) and K (down) keys, select the drive you wish to erase and press the [Enter] or
[Spacebar] key to mark drive for wiping. Finally press F10 to start wiping of data.

f. The time utilized to complete format will be based upon the size of Harddisk capacity and the type of format
selected.

g. The application will continue to operate on its own without human intervention. The following screen will
confirm the wipe process.

ver 6.0 Page 5 of 10 Internal

 Data Disposal Procedure

h. In order to use any erased HDDs again, you will need to:

 Repartition the HDD using a standard utility like FDISK

 Reformat partitions using a standard utility like FORMAT
 Reinstall the operating.

OR

 Re-Image the HDD.

2.2. HDD to be Discarded.

Data stored on Hardisks which need to be discarded shall be degaussed or the platters shall be removed and
destroyed physically by cutting or shredding them in shredders.

2.3. Data needs to be recovered from external Party

In cases when data gets corrupted or due to failure of the HDD circuit board, there would be cases where
harddisk needs to be taken out to third party vendors for data retrieval. In such cases the HDD would be sealed,
and accompanied by a document from the server team which would suffice as a gate pass. A NDA between the
vendor and Capita Offshore Services should be signed and only then the HDD should be handed over to the
vendor for data to be retrieved. The retrieved data from the vendor could be collected on DVDs or on a new
Harddisk.

The platters of the old HDD given to the vendor for data retrieval would be taken back from the vendor and
shredded or physically destroyed after a successfully data recovery assurance from the server team. This would
ensure on loss of Data due to negligence.

ver 6.0 Page 6 of 10 Internal

 Data Disposal Procedure

2.4. Wiping Data from USB Drives.

“Eraser” is a free tool, which allows you to completely remove sensitive data from your hard drive by overwriting it
several times with carefully selected patterns.

The data can be securely wiped by following the instructions below:

a. Download and install the latest version of ERASER from http://www.heidi.ie/eraser/download.php

b. Launch the application; you will see the following interface. Right click and select “New Task”.

c. Now select the drive (USB) that you need to ERASE.

NOTE: You can also use this software to ERASE files and folders.

ver 6.0 Page 7 of 10 Internal

 Data Disposal Procedure

d. After selection right-click on the selected option and click run.

e. You will be prompted for a confirmation. Click YES to proceed.

ver 6.0 Page 8 of 10 Internal

 Data Disposal Procedure

f. After the erasing is over you will see the following conformation screen.

ver 6.0 Page 9 of 10 Internal

 Data Disposal Procedure

2.5. Disposing CD/DVD

A CD/DVD shredder should be used to physically destroy a CD/DVD that is no longer needed. Incase if the
shredder is not available, then one can manually break the disk into small pieces.

2.6. Disposing Printer HDD

Modern copy machines and printers have a similar hard drive to those found in PCs and laptops. These
machines automatically store any document that has been printed or copied on the hard drive. This means
that copy machines and printers may contain sensitive data on the hard drive which must be destroyed. This is
often an overlooked security issue which could result in a data breach.

One must ensure that the printer Hard Disks are wiped similar to the computer hard disk by using specialized
software (e.g. Dban, Blancco etc…). Situations where hard disks could not be wiped then it must be physically
destroyed / degaussed.

ver 6.0 Page 10 of 10 Internal