Security issues are on the minds of all CIOs these days. Whether the CIO of a 1,300-student liberal-arts college or that of a 13,000-employee Fortune 100 company, never before has the issue of data security been more important. Besides a record-breaking year of data breaches, legislation such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA mandates new security protocols that must be followed or violators face severe penalties.

At Catawba College, network, computer and information security concerns have been a major focus of our information technology work for the past several years, as evidenced by our campus-wide 802.1x network authentication and our CatNet Connect process to clean and secure student computers before allowing them to connect to the residence hall network.

As we faced the prospect of a hardware refresh for about 500 personal computers on campus, it was only natural for us to be concerned about how to dispose of the outgoing equipment in a secure and environmentally friendly way. For the environment's sake-and to benefit the community-we decided to donate our used equipment to a local organization that trains middle school and high school students to refurbish computers, which are then donated to needy families. From an information security perspective, it was essential that we ensure all confidential data was completely eliminated from the hard drives in a manner that would preserve the drives. (also read Is Your Hard Drive Data Really Gone?)

As we investigated ways to completely remove the data from hard drives in a nondestructive manner, we immediately eliminated two options-degaussing and mechanical destruction-because both failed to meet our reusability criteria. The magnetism of degaussers destroys the read/write head, rendering the hard drive inoperable. And mechanical destruction is very harmful to the environment because it requires drives to be ground into tiny pieces, releasing a variety of toxic chemicals.

Although they passed the reusability test, the software overwrite methods we had traditionally been using to clear hard drives fell short in some key areas. First, these methods are labor-intensive and very time-consuming. A typical 120GB hard-drive triple-overwrite process can take four hours or longer to complete and the process must be physically monitored for security purposes. Second, these methods lacked the level of automated logging that we required. For information security and auditing purposes, it was imperative that the hard-drive sanitization procedure be completely documented, without exception, and without the possibility for error.