Secure Data Removal at NC State

Before attempting to surplus or dispose of any device or equipment containing sensitive data or software licensed to the university, security-compliance regulations require that you follow all relevant procedures on this page to fully erase or destroy all storage devices.  

In addition to computer hard drives, such storage devices may include but are not limited to the following:

  • Removable media
  • Portable electronic devices
  • Scanners
  • Copiers

How Does This Help the Pack?

Meeting this requirement protects the university in many ways:

  • Maintains data security:  University data remaining on surplus devices and other equipment risks exposure of sensitive data, which can lead to subsequent data breaches.
  • Complies with multiple federal and state regulations.
  • Fulfills software licensing agreements.

If you need assistance meeting this requirement, contact your local IT support personnel or asset management coordinator.

Secure Data Removal Procedures

Before deciding to surplus any equipment or device that might store sensitive data or software licensed to the university, you must complete the following procedure:

  1. Fully erase storage devices (hard drive, flash, and so forth) or remove and destroy them.
  2. Remove any device or firmware password (for example, BIOS, UEFI) or device security measure such as a screen lock, PIN code, activation code, Touch ID, Face ID, and so forth.
  3. Attach a label to the equipment signed by an NC State employee certifying the storage devices are erased or removed (per Step 1 above) and all security passwords or device security measures are removed (per Step 2 above).

See Disposition of Property for details about how to prepare surplus labels.

Erasing Devices Cryptographically

Erasing storage devices cryptographically is the Best Practice for NC State; it does not require vendor-specific procedures and is available in all operating systems.

NOTE:  Some Network-attached Storage (NAS) devices, printers, and other embedded devices do not support cryptographic erasure. These typically require removing the storage device and erasing it using another system.

If the storage device you need to erase does not support cryptographic erasure, see Other Acceptable Data-removal Procedures.

To erase a storage device cryptographically, do one of the following:

  • Delete any encryption key that was stored automatically by a self-encrypting drive.  Some solid-state drives include this feature.
  • Run full-disk encryption on the drive and then delete the encryption key manually.

See detailed instructions for your type of drive:

Other Acceptable Data-removal Procedures

In the event that erasing data cryptographically is not an option, you can perform one of the following procedures instead:

Erasing Hard Disk Drives

Follow the instructions for your type of hard disk drive:

  1. Hard disk erasing with Active@ KillDisk for PCs
  2. Hard disk erasing for Macs
  3. For Unix endpoints, see hardware vendor.

Erasing Solid-State Drives

Choose the appropriate option to erase a solid-state drive:

  • If the solid-state drive manufacturer does not provide Secure Erase functionality, erase the drive cryptographically or destroy it.
  • For solid-state drives with Secure Erase functionality, you must use the Secure Erase function from the drive-management software provided by the solid-state drive manufacturer.

The following companies offer solid-state drive management software:

For details on how to initiate Secure Erase, see the ATA Secure Erase commands as specified in the ATA storage specifications.

Erasing Mobile Devices

To erase all data from mobile devices, reset them.  

See the instructions for your device:

NOTE:  See Disposing of Your Mobile Device for additional information including how to erase SIM or external storage cards.

Erasing Other Devices

Follow this procedure for any other device that stores data, for example, copiers, printers, scanners, fax machines, set-top devices, TVs, and projectors.

  1. Verify the device has an internal storage device.
  2. If it contains a removable hard drive, remove the drive and process it per the Erasing Hard Disk Drives section.
  3. For non-removable drives, follow the vendor’s data removal instructions.
  4. If it has another type of storage, use the vendor’s recommended method for data removal.

Destroying Devices

Physical destruction is the last resort and includes the following options:  

  • Mechanical shredders
  • Degaussing (not viable for solid-state drives)

See the Electronic Media Disposal Process for additional information.

Note: Due to the extensive use of sensitive data on server storage solutions and associated risks, which includes loss of confidentiality or information disclosure, server storage solutions should be physically destroyed to safeguard university data. Reference: NIST 800-171 3.8.3 sanitize or destroy system media, NIST 800-88 Guidance on media sanitation.

Labeling Instructions

  • After the hard disk is erased, a verification label must be attached to the computer equipment.
  • Verification labels in Word format (for Avery 5163 or 5963 labels) or PDF format (Avery 5163 or 5963 labels) may be printed on any of the following:
    • Avery labels
    • Any 2″ x 4″ label
    • Plain sheet of paper taped to the equipment.
  • The label must contain:
    • Checked boxes verifying all of the security measures have been removed
    • Printed name
    • Signature
    • Date
    • Serial number
  • The serial number must be shown on BOTH of the following:
    • Online AM Surplus Request form
    • Verification label attached to the equipment
  • Improperly labeled computer equipment will not be picked up for surplus.

Verification

Only NC State employees may verify that computer equipment’s hard drive has been erased or removed.

Additional Assistance

  • Surplus procedures
    Materials Management Surplus Property unit: 919.515.5525 or 919.515.9464.
  • Proper erasing of hard disks
    NCSU Help Desk or 919.515.HELP.