Securely Deleting DataBy: Beau Woods
Securely deleting data is a requirement of most regulatory requirements. But many organizations struggle with just how to do this in a way that is both secure and compliant.
Some ways to do this include using software to overwrite the data, using a degaussing tool to electronically damage the drives, and physically destroying them.
Make sure you keep in mind that whatever method you use, the goal is risk mitigation rather than risk elimination. You're trying to mitigate the most risk for the least money. So while DBAN and smash therapy aren't perfect, they do the job pretty well for what you need them to do. If you're the DOD or NSA then of course you need to do something else. But if you're the DOD or NSA you already knew that.
Another part of the HIPAA compliance and SOX requirements is auditable documentation. NIST has a guide (linked below) which gives you a generic form for the types of data you need to track, including method of sanitization, serial number, who performed the test, etc. It is also beneficial to document your methodology since the auditors will want to see that along with your wiping logs.
DBAN is one of the most useful tools out there; it does several forms of wiping to remove data from all types of drives, including SCSI and older hardware. If the drives are all ATA and manufactured within the last five years (erring on the side of caution), the SecureErase command is more thorough and faster. This command is implemented in a number of utilities, probably the best known one being put out by UCSD and called Secure Erase (linked below). Obviously physical destruction is an option too; it can be fun and cathartic to take a sledgehammer to the drives, and old platters can make a great mobile for the crib geek's ceiling.
Wiping portable media is a different issue entirely. Backup tapes, thumb drives and portable hard drive storage are three such examples of portable media. Each has its own challenges. I've addressed the hard drive issue above, but probably the best way to wipe the other two is physical destruction. It's an easy process for small USB drives but can be difficult to do safely with backup tapes. I'd suggest contacting your paper records disposal company and asking them if they can provide this service for you. You may find that their rates are low for this sort of thing.
National Industrial Security Program Operating Manual DoD 5220.22-M 2006 (Deprecated)
Marcus Ranum's method of physical destruction