NOV 11 , 1 8 8 9SHINGTWashington State Auditor’s OfficeTroy KelleyNAUDWAOR OF STEATITOI n d e p e nd e n ce • Re spe c t • I nte g r it yPerformance AuditSafe Data Disposal –Protecting Confidential InformationApril 10, 2014Before state government organizations release computers they no longer needfor sale or surplus, state laws require they erase all data, including confidentialinformation such as Social Security numbers, medical information, andIT system and security information. We checked a sample of computers sent forsurplus and estimate that 9 percent of the computers scheduled for sale duringour review period contained confidential data that should have been removed.We recommend state organizations follow a national best practice to conducta final check to verify all data has been removed before releasing computers.We also recommend the Office of the Chief Information Officer improve itspolicies and oversight for agency data disposal practices. The OCIO and theorganizations involved responded swiftly to our findings, stopping the releaseof surplus computers and improving data removal policies.Au d it N u m b e r: 1 0 1 1 5 0 1Table of ContentsExecutive Summary3Introduction6Audit results9Recommendations15State Organizations Responses16Appendix A: Initiative 90025Appendix B: OCIO Best Practice Guidance26Appendix C: Free Data Erasure Software29Appendix D: Statistical Sampling Results30The mission of the Washington State Auditor’s Office State Auditor’s Office contactsThe State Auditor’s Office holds state and local governmentsaccountable for the use of public resources.The results of our work are widely distributed through a varietyof reports, which are available on our Web site and through ourfree, electronic subscription service.We take our role as partners in accountability seriously. Weprovide training and technical assistance to governments andhave an extensive quality assurance program.For more information about the State Auditor’s Office, visitwww.sao.wa.gov.Americans with DisabilitiesIn accordance with the Americans with Disabilities Act, thisdocument will be made available in alternative formats. Pleaseemail Communications@sao.wa.gov for more information.State Auditor Troy Kelley360-902-0360, Troy.Kelley@sao.wa.govChuck Pfeil, CPA :: Director of State & Performance Audit360-902-0366, Chuck.Pfeil@sao.wa.govLou Adams, CPA :: Deputy Director of PerformanceAudit360-725-9741, Lou.Adams@sao.wa.govTodd Larson :: Senior Performance Auditor360-725-9734, Todd.Larson@sao.wa.govThomas Shapley :: Deputy Director of Communications360-902-0367, Thomas.Shapley@sao.wa.govTo request public recordsMary Leider :: Public Records Officer360-725-5617, PublicRecords@sao.wa.govSafe Data Disposal :: Executive Summary | 2Executive SummaryWhy we did this auditIn the last two years, Washington’s state agencies, boards and commissionssent almost 20,000 computers to surplus when they were no longer needed. TheDepartment of Enterprise Services (DES) surplus program distributes some ofthese computers to other state organizations, school districts, or non-profit groups.The remaining computers are sold to the public through the surplus programwebsite or at the DES Surplus Store in Tumwater, WA. The revenue collected fromthe sale of these computers is used to fund the surplus program and purchase newequipment for state organizations.Before state organizations release computer equipment for disposal, state lawsrequire them to erase all data, including confidential information such as socialsecurity numbers and personal medical information, as well as InformationTechnology (IT) system and security data from their hard drives. State standardsalso require state organizations to document their computer disposal procedures.Leaving confidential data on computers can expose both individuals andorganizations to identity theft and fraud, and violates state and federal law.We wanted to assess how well state organizations comply with statutes and employbest practices as identified in the Office of the Chief Information Officer (OCIO)Security Standard 141.10. The OCIO is responsible for the state’s IT securitystandards. We also wanted to identify opportunities to improve computer disposaloperations and minimize the risk of confidential data being released.We designed our audit to determine if state organizations remove confidentialdata stored in their data processing equipment before releasing them for surplus ordestruction, and if their data processing disposal policies, procedures and actualprocesses comply with state requirements and employ best practices.Not all state organizations removed confidential data stored intheir computers before releasing them for surplus or destruction.Four of the 13 organizations whose surplus computers we tested had releasedequipment containing confidential data. They were the:• Department of Ecology• Department of Health• Department of Labor & Industries• Department of Social and Health ServicesThe State Auditor’s Office created a stratified statistical sample of all surpluscomputers and inspected computers from 13 state organizations sent to the surplusprogram over a six-week period. We estimate that 9 percent, or 109, of the 1,215computers scheduled for surplus during our review period contained confidentialinformation.We recovered files from the computers’ hard drives. With the right knowledge ofdata retrieval, the confidential information we found could be obtained in a fewminutes. Had these computers been sold, the presence of confidential informationon their hard drives posed a risk of harm to private individuals and the state.Confidential datafound on state surpluscomputers included:▶ Applications for publicassistance▶ Medical records▶ Personal financialstatements▶ Employee performanceevaluations▶ IRS tax forms▶ Social Security numbers▶ IT security and systeminformation▶ Claims records▶ EmploymentapplicationsSafe Data Disposal :: Executive Summary | 3Not all state organizations’ data processing disposal policies,procedures, and processes were in compliance with staterequirements and followed best practices.We reviewed the procedures of all 13 organizations and found significantinconsistencies between and within them.Of the 13 state organizations whose surplused computers and data disposal processesand policies we examined…Four had confidential data oncomputer hard drivesFour did not have documentedprocedures in placeTen did not follow the recommendedleading practice of verifying data onhard drives is erased or destroyedECYDSHSDOHDOTL&IDSHSPARKS SENATEDSHSECYDFWECYDFWDOHLNIL&IDNRDSHSDOTOICPARKS SENATEDNR DSHSWe also compared the OCIO Security Standards to guidance published by theNational Institute of Standards and Technology (NIST). The OCIO’S standardsrefer to the NIST guidance as “best practices,” but we found that the standardsdid not clearly require state organizations to employ those best practices. TheNIST best practices specifically include steps to verify and document data isproperly deleted.Two state organizations did employ best practices by including a step in theirprocedures to verify that data was removed from their computer hard drives,as recommend by NIST. Those organizations were the Employment SecurityDepartment and the Department of Enterprise Services.The state responded swiftly to our audit test findingsAfter we shared our audit test results with the state organizations and the OCIO,the state organizations reacted swift ly to address the problem.The OCIO immediately quarantined computers at the surplus store, halted sales,and provided additional guidance to state organizations and is in the process ofevaluating its computer disposal policies. The organizations that we found hadconfidential data on their computers took immediate steps to resolve the problemsand are reviewing their procedures. One organization immediately assigned anemployee to examine every computer hard drive after it had been sanitized toverify that no data remained.Safe Data Disposal :: Executive Summary | 4RecommendationsIn order to ensure state organizations comply with state requirements andfollow best practices in properly removing confidential data stored in computersbefore they are released for surplus or destruction, we make the followingrecommendations:In addition to the actions the OCIO has already taken, we recommend the OCIO:• Engage state IT and security leaders to modernize the methods availableto organizations to meet the OCIO Standards (hard drive destruction andrecycling services)• Revise the current version of the OCIO Security Standards Section 8.3 to:• Require state organizations to employ the NIST best practices, whichwould address OCIO Step 8.3.3 by replacing the word “ensure” with“verify”• Require proper documentation stating that data has been properlydeleted from computer hard drives, or that hard drives have beenproperly destroyedWe also recommend the OCIO:• Review the state organizations’ documented media handling and disposalprocedures to ensure they meet the OCIO Standards Section 8.3• Continue to halt the release of computers for organizations whenever theOCIO has reason to doubt their compliance with the OCIO StandardsSection 8.3Our recommendations for state organizations:1. The following organizations establish documented procedures to ensure safeand secure disposal of sensitive and confidential information. The proceduresshould align with the OCIO Security Standards for computer handling andhard drive disposal:• Department of Social and Health Services• Department of Transportation• State Parks and Recreation Commission• State Senate2. As a best practice, the following organizations include in their procedures astep to verify and record that confidential data is appropriately removed fromcomputer hard drives before releasing to surplus:• Department of Ecology• Department of Fish and Wildlife• Department of Health• Department of Labor & Industries• Department of Natural Resources• Department of Revenue• Department of Social and Health Services• Department of Transportation• Office of the Insurance Commissioner• State Parks and Recreation Commission• State SenateSafe Data Disposal :: Executive Summary | 5IntroductionIn the 21st century, almost nothing ages as quickly as computer software andhardware. Improvements in processing speed and memory capacity makemachines only a few years old obsolete, while innovative or upgraded softwarecan sometimes run only on newer computers. Personal and business users candispose of their old computers through recycling centers across the state, whichprocess the scrap boxes and hard drives. Washington’s state agencies, boardsand commissions must meet stricter guidelines and proceed carefully when theydecommission computers they no longer need.In the last two years, state government organizations decommissioned almost20,000 computers using the Department of Enterprise Services (DES) surplusprogram. Some are redistributed to other state agencies, school districts ornon-profit organizations. The rest are sold to the public through the surplusprogram website or at the DES Surplus Store in Tumwater, WA. The revenuecollected from the sale of these computers is used to fund the surplus programand to purchase new equipment for state organizations.Before state organizations release computer equipment for disposal, state lawsrequire them to safeguard confidential information such as Social Securitynumbers, personal medical information, and organization Information Technology(IT) system and security data. Leaving confidential data on computers can exposeindividuals and organizations to identity theft or fraud; it also violates state andfederal law.While DES runs the surplus store, the Office of the Chief Information Officer(OCIO) sets state IT security standards, including those for safeguardingconfidential information.State government organizations can choose to completely erase the information,leaving the computer hard drive intact, or remove the drive and destroy it. Statestandards require them to document their hard drive erasing and disposalprocedures.We designed this audit to answer the following questions:1. Do state organizations remove confidential data stored in their computersbefore they are released for surplus or destruction?2. Do state organizations’ computer disposal policies, procedures, and processescomply with state requirements and follow best practices?Washington’sdata safeguardingrequirements1. State law RCW 19.215.020“Destruction of information- Liability - Exception - Civilaction”2. State law RCW 42.56.420“Security”3. State law RCW 43.19.1919“Surplus personalproperty - Sale, exchange Exceptions and limitations”4. Washington State Officeof the Chief InformationOfficer Security Standard141.10 - Section 8.3 “MediaHandling and Disposal” pg.22, which makes referenceto best practices suchas the federal NationalInstitute of Standardsand Technology (NIST)Special Publication 800-88“Guidelines for MediaSanitation”Safe Data Disposal :: Introduction | 6Audit Scope & MethodologyAs we addressed the two primary audit questions, we developed additionalobjectives based on the results of our tests:• If we found data on the hard drive of a surplused computer, we tried tofind out how this happened. This included interviewing organization staffand examining the organization’s hard drive erasing and disposal policiesand procedures.• If we found surplus computers without hard drives, we asked theorganizations why it removed the drives and what was done with them.• If an organization successfully disposed of computers with completelyerased hard drives, we examined its data disposal policies and proceduresto see how they compared to the Office of Chief Information Officer’s(OCIO’s) Security Standards and best practices.Processes for examining computers sent toDES for surplusWe reviewed relevant laws and standards that classify confidential data andrequire its destruction prior to disposal. The (OCIO) Security Standards 141.10,page 8, section 4.1 Data Classification states:Agencies must classify data into categories based on the sensitivityof the data.Agency data classifications must translate to or include the followingclassification categories:1. Category 1 – Public InformationPublic information is information that can be or currently is released tothe public. It does not need protection from unauthorized disclosure, butdoes need integrity and availability protection controls.2. Category 2 – Sensitive InformationSensitive information may not be specifically protected from disclosureby law and is for official use only. Sensitive information is generally notreleased to the public unless specifically requested.3. Category 3 – Confidential InformationConfidential information is information that is specifically protected fromdisclosure by law. It may include but is not limited to:a. Personal information about individuals, regardless of how thatinformation is obtained.b. Information concerning employee personnel records.c. Information regarding IT infrastructure and security of computerand telecommunications systems.We focused our audit on Category 3 – Confidential data. We created a statisticalsample (specifically, a stratified random sample) of all surplus computers sent tothe DES surplus program over a six-week period during the summer of 2013 toexamine them for compliance.Safe Data Disposal :: Introduction | 7Each week, the DES Warehouse Manager gave the audit team a list of theorganizations due to send computers to surplus and their inventory count. Weselected a sample of about 30 desktops or laptops and went to the DES SurplusStore to examine them. If the computer contained a hard drive, we brought it toour office for testing to see if the drive contained any confidential data. At the endof the six weeks, we had examined 177 of the 1,215 desktop and laptop computerssent to the surplus program. The sampled computers came from 13 different stateorganizations. For complete results of our sample, see Appendix D.Understanding current best practices guided our evaluation ofstate organizations’ disposal processesIn addition to familiarizing ourselves with the OCIO’s Security Standards Section8.3 “Media Handling and Disposal,” we also reviewed the National Institute ofStandards and Technology (NIST) 800-88 “Guidelines for Media Sanitation”which is referenced in Section 8.3 of the Standards as a media sanitation “bestpractice.” See Appendix B, which lists this best practice resource that governmentorganizations at the state and local level might find helpful as they review theirpolicies and procedures. Appendix C provides a list of free software erasure toolsthat the OCIO recommends to state organizations. These tools could also helpsmall or local government organizations maintain high standards of data securityon decommissioned computers without adding high costs to the process.Audit performed to standardsWe conducted this performance audit under the authority of state law (RCW43.09.470), approved as Initiative 900 by Washington voters in 2005, andin accordance with Generally Accepted Government Auditing standards(December 2011 revision) issued by the U.S Government Accountability Office.Those standards require that we plan and perform the audit to obtain sufficient,appropriate evidence to provide a reasonable basis for our findings and conclusionsbased on our audit objectives. We believe that the evidence obtained provides areasonable basis for our findings and conclusions based on our audit objectives.See Appendix A, which addresses the I-900 areas covered in the audit.Next stepsOur performance audits of state programs and services are reviewed by the JointLegislative & Audit Review Committee (JLARC) and/or by other legislativecommittees whose members wish to consider findings and recommendations onspecific topics. Representatives of the State Auditor’s Office will review this auditwith JLARC’s Initiative 900 Subcommittee in Olympia. The public will have theopportunity to comment at this hearing. Please check the JLARC website for theexact date, time, and location (www.leg.wa.gov/JLARC). The State Auditor’s Officeconducts periodic follow-up evaluations to assess the status of recommendationsand may conduct follow-up audits at its discretion.Safe Data Disposal :: Introduction | 8Audit resultsWe found data on computers from four different state organizations – thedepartments of Ecology, Health, Labor & Industries, and Social and HealthServices – sent to the DES surplus warehouse in six separate shipments. Basedon the stratified sampling method we used to select computers, we estimate 9percent, or 109, of the 1,215 computers sent to the surplus program during oursix-week review period contained confidential information.We also found that state organizations employed a variety of policies and practicesto ensure data did not remain on the computers placed in the DES surplus program.Of the 13 agencies that shipped computers we tested, only two – the departmentsof Enterprise Services and Employment Security – had policies and proceduresthat included a step to verify data was removed from computer hard drives, orthat the hard drives were destroyed, as NIST recommends as a best practice.The Department of Revenue also had fully compliant policies and procedures,and a process to verify data was removed from their hard drives, but had notdocumented the verification step in its procedures.In the case of the other 10 organizations’ policies and procedures, we found somewere incompletely documented and some did not conform to the OCIO’s SecurityStandards, while some had documented and compliant policies, but staff did notfully follow them.9%We estimate that 9% of thestate-owned computers sentto the DES surplus programduring our test periodcontained confidential data.Safe Data Disposal :: Audit results | 9Question 1: Do state organizations properly removeconfidential data stored in their data processing equipmentbefore releasing them for surplus or destruction?Computers released as surplus contained confidential data thatshould have been erasedWe estimate 9 percent of the computers sent to the surplus program during ourreview contained confidential data that state law required organizations to removebefore releasing their computers for surplus.The confidential data included:••••••Social Security numbersDates of birthAddressesPhone numbersMedical recordsFinancial information••••••Applications for public assistanceIRS tax formsEmployment applicationsEmployee personnel evaluationsEmployee citizenship informationIT security and system informationIn addition to confidential information, one of these computer hard drives stillhad its operating system installed.Another computer hard drive contained no confidential information, but didhave dozens of inappropriate photos.It appeared one state organization attempted to use software to erase the harddrives, but the erasure was not successful. The nature of un-erased data reflectedto some degree the sensitive nature of state agencies’ work. Computers fromanother organization contained several documents that fall in to the OCIOSecurity Standards Confidential Information Category 3.a, “Personal information”about individuals, such as applications for benefits, a medical history record, apsychiatric evaluation, IRS tax forms, and banking and credit information of theagency’s clients.We saw some types of confidential data recur more frequently during our tests,including employee performance evaluations and personnel information, usernames and passwords, and network access instructions. We also found a computerloaded with a fully functional operating system, although it required a usernameand password to log on to the computer.We also found computers that had their hard drives removed completely. Thematter of absent hard drives is discussed below.Safe Data Disposal :: Audit results | 10Reasons why data remained on drives varied betweenorganizations, but human error played a partFor every computer we found that contained data, we sought reasons why ithad been sent to the surplus warehouse before being completely erased. Weinterviewed IT managers or staff at the four agencies, and asked them to identifythe combination of issues that led to the incomplete removal of confidential data.Agency staff supplied the following causes of incomplete processes, human error,and technological failures.For example, agencies suggested:• Computers that did not start were released for surplus on the assumptionthat they were actually broken and unusable, when the computer harddrives still contained confidential data.• Computers were mistakenly set aside for surplus delivery before the datahad been erased from their hard drives.• Tape indicating the hard drive had been removed was mistakenly placedon a computer with its hard drive intact.• Computers with installed hard drives planned for reuse were instead sentfor surplus without data removal.Why hard drives were absentState organizations can either remove and destroy computer hard drives, or erasedata on the hard drives and reuse them. According to the OCIO Security Standard,both approaches are an acceptable solution to safely disposing confidential data.• In one agency, regional offices remove hard drives in order to destroythem, while some drives are removed to copy data stored on them. In thelatter case, the hard drives are erased and sent to DES Surplus separatelyfrom the computers.• One agency described removing hard drives to send them to a contractorfor destruction. The process calls for a technician to place blue tape labeled“HD out” on decommissioned computers after the hard drive has beenremoved; the computers are then stacked on pallets until DES collectsthem to take to the surplus warehouse. The hard drives are placed in alocked bin and later destroyed.Discrepancies were found between physical count and inventorylists at the DES warehouseWe found significant discrepancies between the number of desktops and laptopswe physically counted at the DES warehouse and the number listed on the surplusprogram inventory sheet submitted by one agency. One of the shipments wesampled included 23 more desktops than inventoried, while the other shipmentincluded 74 more desktops and eight fewer laptops. We were unable to determinehow or why this happened.Safe Data Disposal :: Audit results | 11Question 2: Do state organizations’ computer disposalpolicies, procedures, and processes comply with staterequirements and follow best practices?Organizations did not always comply with the OCIO’s requirementsor employ best practices for disposing of computersWe wanted to know how well state organizations complied with the OCIO’s datadisposal standards, and whether those organizations with data-contaminateddrives had met the requirements for documented policies and procedures. Wealso wanted to see how closely Washington’s computer disposal policies andrecommended procedures aligned with best practice as outlined by industry andgovernment experts.We compared the OCIO Standards Section 8.3 “Media Handling and Disposal”to the NIST 800-88 “Guidelines for Media Sanitation.” We found that Section8.3 of the Standards makes reference to “best practices such as NIST SP 800-88,”and OCIO Standards Section 8.3.3 for state organizations to “ensure the safe andsecure disposal of sensitive media.” The standards do not, however, specificallyrequire state organizations to employ NIST best practices, which include verifyingdata has been removed or the storage media has been destroyed.The NIST best practices provide organizations:• An overview of the need for data sanitization and the basic types ofinformation, sanitization, and media• A process flow, including validation and documentation steps, to assistwith data sanitization decision making• Guidance on how to verify the effectiveness of selected data sanitizationprocesses, equipment and personnel competenciesHaving a documented procedure does not guaranteecompletely erased computer hard drivesOf the four organizations with confidential data on their drives, three – Departmentof Ecology, Department of Health, and Department of Labor & Industries – metthe state standards requirement to have documented procedures explaining howthey remove data from surplus computers. The procedures and the processesdescribed by the Department of Social and Health Services were not sufficientto ensure data was removed from computers. Furthermore, the procedures wereinconsistent within the agency, in that some of its regional and field offices usedsoftware that erased and reformatted drives while other offices physically removedhard drives.The very diverse explanations given by the four organizations for having confidentialdata on their surplused computers indicated a lack of controls. Furthermore,when mistakes were made, the organizations did not have mitigating controlsdocumented and in use to prevent the release of confidential data.None of the procedures or processes we reviewed for these organizations requiredcomputer hard drives to be checked after the data removal step was supposed tobe completed, to confirm that hard drives were removed or completely erasedbefore being sent to surplus. This is a necessary step to verify that confidentialdata is not released.Safe Data Disposal :: Audit results | 12Even at organizations that did not have confidential dataon their computers in our sample, policies and procedures did notalways meet OCIO StandardsSome state organizations did not have documented computer disposal proceduresas required by the OCIO Standards. Although we did not discover confidentialdata on the computers we checked for the State Senate and the State Parks andRecreations Commission, neither had documented computer hard drive erasingand/or disposal policies and procedures as required by the OCIO Standards.The most frequently observed issue with state organizations’ computer disposalpolicies or procedures was the lack of a documented step in their procedures toverify that data had been erased or hard drives destroyed as recommended bythe NIST’s guidelines for media handling and disposal best practices. Eleven ofthe 13 organizations we audited lacked such a step to verify and document data isproperly deleted.We could not determine if only four state organizationshad confidential data on their computersOur random sample included computers from only 13 state organizations.Although the computers we tested from nine organizations did not contain data,we cannot be sure that all their computers were free of data. Not all organizationswere tested, either because none of their computers were selected in our sample orthey did not send computers to surplus during our audit period. For this reason,we cannot determine if this problem is isolated to four organizations.In addition, after discussions with the other nine organizations we audited, wefound that these organizations were also at varying levels of proficiency in theirsurplus disposal process. A couple of these organizations did not have documentedprocedures. Several of them did not include a documented step in their procedureto verify that data was removed from hard drives.We also learned that one organization that leases its computers returns them toleasing companies rather than sending them to surplus. We were not able to testany of these computers to determine if data was left on their hard drives. However,leaving confidential data on these computers is still a violation of state and federallaws, and state organizations should ensure that returned lease computers are freeof data.Safe Data Disposal :: Audit results | 13The state reacted swiftly to our audit findingsAfter we shared our audit test results with the state organizations and the OCIO,they reacted swift ly to address the problem. The OCIO immediately quarantinedand halted the distribution and sale of surplus computers and plans to provideadditional guidance to state organizations and also evaluate its end of life digitalpolicies. Some organizations we identified as having confidential data on theircomputers are taking immediate steps to resolve the problems and are reviewingtheir procedures and processes:1. The Department of Social and Health Services is considering options tostandardize and centralize its data removal process and recognized thatit could improve inventory control procedures to verify the number ofcomputers as they move through the surplus process and to track hard drivesthat are removed.2. The Department of Ecology has assigned an employee to examine everycomputer after it has been erased to ensure no data is left on the hard driveand is developing a new procedure with sufficient controls.3. The Department of Labor & Industries recognized that its procedure wasincomplete and staff did not have instructions for instances where they couldnot load the wiping software and is reassessing its process. The Departmenthas revised its data removal processes, added a verification step to confirmcompletion, and will provide formal training to staff with these responsibilities.4. The Department of Health acknowledged that its surplus process could beimproved.Chief Information OfficerMichael Cockrill wrote in aletter to all agencies:“The security risks arisingfrom unintended exposureof state data are very real.”Safe Data Disposal :: Audit results | 14RecommendationsIn order to ensure state organizations comply with state requirements andfollow best practices in properly removing confidential data stored in computersbefore they are released for surplus or destruction, we make the followingrecommendations:In addition to the actions the OCIO has already taken, we recommend the OCIO:• Engage state IT and security leaders to modernize the methods availableto organizations to meet the OCIO Standards (hard drive destruction andrecycling services)• Revise the current version of the OCIO Security Standards Section 8.3 to:• Require state organizations to employ the NIST best practices, whichwould address OCIO Step 8.3.3 by replacing the word “ensure” with“verify”• Require proper documentation stating that data has been properlydeleted from computer hard drives, or that hard drives have beenproperly destroyedWe also recommend the OCIO:• Review the state organizations’ documented media handling and disposalprocedures to ensure they meet the OCIO Standards Section 8.3• Continue to halt the release of computers for organizations whenever theOCIO has reason to doubt their compliance with the OCIO StandardsSection 8.3Our recommendations for state organizations:1. The following organizations establish documented procedures to ensure safeand secure disposal of sensitive and confidential information. The proceduresshould align with the OCIO Security Standards for computer handling andhard drive disposal:• Department of Social and Health Services• Department of Transportation• State Parks and Recreation Commission• State Senate2. As a best practice, the following organizations should include in theirprocedures a step to verify and record that confidential data is appropriatelyremoved from computer hard drives before releasing to surplus:• Department of Ecology• Department of Fish and Wildlife• Department of Health• Department of Labor & Industries• Department of Natural Resources• Department of Revenue• Department of Social and Health Services• Department of Transportation• Office of the Insurance Commissioner• State Parks and Recreation Commission• State SenateSafe Data Disposal :: Audit results | 15State Organizations ResponsesSTATE OF WASHINGTONApril 8, 2014The Honorable Troy KelleyWashington State AuditorP.O. Box 40021Olympia, WA 98504-0021Dear Auditor Kelley:We appreciate the opportunity to respond to the State Auditor’s Office (SAO) performance auditreport on “Safe Data Disposal – Protecting Confidential Information.” The Office of FinancialManagement and the Office of the Chief Information Officer (OCIO) worked with the auditedagencies to provide a consolidated response. Agencies governed by a separately elected officialwill respond separately.The state is committed to protecting confidential data and eliminating or preventing securityvulnerabilities. While the state acted quickly to resolve this issue, the SAO audit reflects the needto continually review each agency’s data removal processes. This audit is an excellent example ofgovernment working together to discover, scope and resolve a problem.Information security is a responsibility shared by every organization and individual in stategovernment. The OCIO governs information technology policy and standards for the executivebranch of state government — including security. In this vein, the OCIO is responsible for settingand maintaining security standards in a landscape of constant change. Agencies must adopt policiesand procedures that follow these standards and must make sure those standards are working asintended. Agencies must also ensure that all data has been removed from any equipment leavingtheir custody.The SAO identified vulnerabilities that will be addressed through changes in policies, proceduresand actions. The audit findings include:xxxConfidential data and other information on 11 of 177 computers from four agencies.Four agencies that did not have documented procedures.Ten agencies that did not follow best practices for verifying that data is erased or destroyed.There have been no reports of personal information being compromised. When agencies investigatedhow a small number of computers containing confidential information were released to surplus, theyfound that, in most cases, human error was the cause. In some cases, the computer drives had beenwiped, but not thoroughly. At two agencies, the practice was to remove the hard drives beforesending computers to surplus, yet a few PCs were surplused with hard drives in place.Safe Data Disposal :: Organizations Responses | 16The Honorable Troy KelleyApril 8, 2014Page 2As the audit report highlights, the state took swift action when these vulnerabilities were identified.The OCIO immediately quarantined all state computers at the surplus store, halted sales, andprovided additional guidance to state agencies. Other actions already taken by the OCIO include:xAssessing the security of the Department of Enterprise Services’ (DES’) warehouse and theAirway Heights correctional facility’s data removal process as part of the Computers 4 Kidsprogram.xInitiating a cross-agency task force to make more robust methods available to agencies to meetthe data disposal standards identified in state IT security policy.Additional agency actions are detailed in the attached official audit response action plan.We agree that current procedures to ensure safe and secure disposal of all data should be welldocumented and align with the OCIO’s security standards. The agencies that are part of this jointresponse are in varying stages of documenting or modifying their data disposal procedures asoutlined in the attached action plan.While many of the 13 audited agencies were found to be in compliance with OCIO standards, weagree that all agencies should add a step to their procedures to verify that all confidential and otherdata is completely erased or destroyed prior to releasing the computer to surplus. The OCIO willrevise the language in the Security Standard 8.3.3 to more clearly require that agencies verify thatdata has been erased or destroyed.Although the performance audit did not address what happens to surplus computers after arriving atthe DES warehouse, it is an important step of the process that has been reviewed by the OCIO. Themajority of computers were donated by DES to the Computers 4 Kids program, which reconfiguressurplus computers for use in Washington public schools. These computers are shipped to theAirway Heights correctional facility, where hard drives are removed in a secure facility and wipedby a state employee to U.S. Department of Defense standards.Before the OCIO’s computer quarantine was lifted, DES put processes in place to ensure that allstate computers are sent to the Computers 4 Kids program. While this process offers a good safetynet, it does not release agencies from their responsibility to verify computers are fully erased beforeleaving their custody.We thank the SAO and the performance audit team for their work on this report. We share yourbelief that information security is a matter of utmost importance that requires continuous vigilance.Sincerely,David SchumacherDirectorMichael CockrillChief Information OfficerSafe Data Disposal :: Organizations Responses | 17cc:Joby Shimomura, Chief of Staff, Office of the GovernorKelly Wicker, Deputy Chief of Staff, Office of the GovernorTed Sturdevant, Executive Director for Legislative Affairs, Office of the GovernorTracy Guerin, Deputy Director, Office of Financial ManagementWendy Korthuis-Smith, Director, Results Washington, Office of the GovernorTammy Firkins, Performance Audit Liaison, Results Washington, Office of the GovernorMaia Bellon, Director, Department of EcologyJohn Wiesman, Secretary, Department of HealthJoel Sacks, Director, Department of Labor and IndustriesKevin Quigley, Secretary, Department of Social and Health ServicesLynn Peterson, Secretary, Department of TransportationChris Liu, Director, Department of Enterprise ServicesDale Peinecke, Commissioner, Employment Security DepartmentDon Hoch, Director, Washington State Parks and Recreation CommissionPhil Anderson, Director, Department of Fish and WildlifeCarol Nelson, Director, Department of RevenueRob St. John, Director, Consolidated Technology ServicesAgnes Kirk, Chief Security Officer, Consolidated Technology ServicesSafe Data Disposal :: Organizations Responses | 18OFFICIAL STATE CABINET AGENCY RESPONSE TO THE PERFORMANCE AUDIT ONSAFE DATA DISPOSAL – PROTECTING CONFIDENTIAL INFORMATION APRIL 8, 2014This coordinated management response to the State Auditor’s Office (SAO) performance auditreport received March 24, 2014, is provided by the Office of Financial Management and theOffice of the Chief Information Officer (OCIO) on behalf of the following audited agencies: thedepartments of Ecology, Enterprise Services, Employment Security, Fish and Wildlife, Health,Labor and Industries, Revenue, Social and Health Services, Transportation, and the State Parksand Recreation Commission. Agencies governed by a separately elected official will respondseparately.SAO Performance Audit Objectives:1. Do state organizations remove confidential data stored in their data processing equipmentbefore being released for surplus or destruction?2. Do state organizations’ data processing disposal policies, procedures, and processes complywith state requirements and best practices?SAO Issue 1: Computers released as surplus contained confidential data that should have beenerased.STATE RESPONSEWe agree with the SAO finding that 11 of the 177 computers sampled contained some residualconfidential data and other information. These computers were sent to surplus by four agencies.Agencies typically send computers to surplus when they have reached the end of their useful life.When the agencies investigated how these computers made it to surplus with confidentialinformation, they found that human errors were the cause in most cases. In some cases, thecomputer drives were wiped, but not properly. We recognize these errors underscore the need forcontinually reviewing and strengthening erasing processes.The state took immediate and appropriate corrective actions to resolve the issues. Actions by stateagencies include:EcologyThe Department of Ecology took immediate actions to improve its safe data disposal process toensure compliance with state requirements and best practices, including:xNon-leased IT equipment is no longer sent to surplus with the hard drives installed.o When non-leased IT equipment is ready for surplus, hard drives are removed andinventoried with a two-person validation process. The drives are then secured in a lockedcontainer for monthly/quarterly destruction, which is witnessed by two staff.xFor leased laptop equipment, Ecology requires a two-person validation where devices arewiped clean of data before returning them to the vendor.Page 1 of 5Safe Data Disposal :: Organizations Responses | 19xA supervisor’s signature is required to validate that devices have been destroyed or wiped,depending on whether the equipment is owned or leased.xUpdating of security policies to make specific reference to safe data disposal policies andstandards.HealthThe Department of Health immediately put into place a two-person verification and sign-offprocess to ensure all hard drives are removed from computers prior to the computers leavingdepartment control. The agency also embarked on a quality improvement initiative to identifyadditional improvements it can make to its equipment surplus process.Labor and IndustriesThe Department of Labor and Industries (L&I) began taking corrective actions as soon as theagency was made aware of the data disposal issue. The performance audit identified issues with anew L&I process used to surplus equipment. Under certain conditions, the data erase step did notcompletely remove data from the hard drive.xOnce L&I learned about this issue, the agency put an immediate hold on equipment headedfor surplus. A technical team was assigned to investigate. Using Lean methodologies, asuccessful, repeatable data-cleaning process has been reestablished.xIn February 2014, L&I added a verification step to its data disposal process. L&I’s surplusprocess is now in full compliance with the OCIO security standards and best practices. Thesuccessful removal of all data from computer equipment targeted for surplus is nowofficially documented and tracked in L&I’s inventory tracking system.xL&I is confident this new data-cleaning process is efficient and that its surplused equipmentwill be thoroughly cleaned of all data.Social and Health ServicesThe Department of Social and Health Services (DSHS) immediately instituted a process to preventany machines from going to surplus without signed documentation that all data has been removed.This was communicated to various technology groups in DSHS. A more formal process to ensuresafe data disposal has recently been communicated to the agency. It retains the requirement todocument the destruction of all data on media, and the DSHS warehouse is instructed to refuseacceptance of any media without the appropriate destruction documentation. A Lean process isscheduled to develop a new disposal procedure that should result in a more streamlined processwith even greater protection of data.Additional ActionsThe Department of Enterprise Services also began sending all surplus computers it receives fromstate agencies to the Computers for Kids (C4K) program, where hard drives are immediatelyremoved and wiped to the U.S. Department of Defense standards by a state Department ofCorrections employee at the Airway Heights correctional facility. The computers are thenrefurbished by inmates through the computer production program and given or sold at a sizablediscount to Washington public schools. This program has been in existence since 1998, and hasprovided more than 75,000 computers to schools. All data is securely wiped before computersenter this program, and no inmate is able to access hard drives or storage media before a computerhas been securely wiped by a state employee.Page 2 of 5Safe Data Disposal :: Organizations Responses | 20Prior to the performance audit, most surplus computers processed by DES were sent to the C4Kprogram and securely wiped. While this does not relieve agencies from their responsibility toremove all data from computers, it did provide an important safety net to ensure confidential datais completely removed from state computers.Additional Information Found Non-ConfidentialThe report stated one operating system was still installed. That agency’s normal practice is toremove drives before sending computers to surplus; however, one computer made it through dueto human error. The agency has added controls including documented verification of removal.The report also identified that non-work related photos were found on one computer. That agencyhas already taken action to investigate the issue.Discrepancy in counts from one agencyThe SAO’s report identified some discrepancies in the number of computers from one agency atthe DES surplus warehouse. According to DES surplus staff, discrepancies like this happen fromtime to time. When they do, surplus staff contact the agency and determine what happened. In thiscase, the agency had not been contacted yet because surplus staff were required to freeze allactivity while the audit was being conducted.Action Steps and Time FrameÌ (See OCIO’s actions under SAO’s recommendations 1-4 and 6)SAO ISSUE 2: Organizations did not always comply with the OCIO’s requirements or employ bestpractices for disposing of computers.SAO RECOMMENDATIONS 1-4 TO THE OCIO:xEngage state IT and security leaders to modernize methods available to organizations to meetthe OCIO Standards (hard drive destruction & recycling services)xRevise the current version of the OCIO Security Standards 8.3 to:o require state organizations to employ NIST best practices, which would address OCIOstep 8.3.3 by replacing the word “ensure” with “verify”o require proper documentation stating that data has been properly deleted fromcomputer hard drives, or that hard drives have been properly destroyedxReview the state organizations’ documented media handling and disposal procedures toensure they meet the OCIO Standards Section 8.3.xContinue to halt the release of end-of-life digital media storage devices for organizationswherever the OCIO has reason to doubt their compliance with the OCIO Standards Section8.3.STATE RESPONSEThe state is committed to protecting confidential data and eliminating and preventing securityvulnerabilities. As the SAO highlighted in the audit report, the OCIO immediately quarantinedall state computers at the surplus store, halted sales, and provided additional guidance to statePage 3 of 5Safe Data Disposal :: Organizations Responses | 21agencies. While the state acted quickly to resolve this particular issue, the SAO report reflects theneed to continually review each agency’s data removal processes. We agree that the state mustalways work to keep security standards up to date in the ever-evolving cybersecurity landscape.In addition to the actions mentioned in the performance audit report, the OCIO:xConducted an immediate evaluation of IT security standards involving data removal,concluding that proper standards were in place but agencies were not consistently meetingthem. The additional guidance for meeting standards was the result of this evaluation.xConducted a security assessment of the DES warehouse.xConducted a security assessment of the data removal process administered as part of theC4K program.xFormed a cross-agency task force to make recommendations for updating state datadestruction policy, including the promotion of additional methods of meeting OCIOstandards such as through physical destruction.Action Steps and Time FrameÌ Complete cross-agency task force work, resulting in more robust methods for agencies to meetthe data disposal standards identified in state IT security policy. By April 30, 2014.Ì Strengthen IT security standards, including the addition of a verification step to ensure that thedata has been destroyed. By April 30, 2014.Ì Work with DES and agencies to update surplus procedures as an additional safeguard. ByMay 30, 2014.Ì Update data-wiping procedures and tools available to agencies. By May 30, 2014.Ì Review each state agency’s documented data handling and removal processes. By June 30,2014.SAO Recommendation 5: The Departments of Social and Health Services (DSHS),Transportation (WSDOT) and State Parks and Recreation Commission (Parks) should establishdocumented procedures to ensure safe and secure disposal of sensitive and confidentialinformation. The procedures should align with the OCIO Security Standards for computerhandling and hard drive disposal.STATE RESPONSEWe agree that our current procedures to ensure safe and secure disposal of all data should be welldocumented and align with the OCIO’s security standards. The three agencies contributing to thisresponse are in various stages of documenting or modifying their data disposal procedures.Action Steps and Time FrameÌ DSHS: Institute a process to document that data was destroyed or removed across all programareas. Complete.Ì DSHS: Issue a technical bulletin to all program areas to institute a process to document safedata disposal and prevent surplus of any machines with data. Complete.Page 4 of 5Safe Data Disposal :: Organizations Responses | 22Ì DSHS: Complete a Lean process to improve all aspects of surplus, including datadestruction/disposal. By December 31, 2014.Ì DSHS: Finalize safe data disposal procedures. By December 31, 2014.Ì WSDOT: Prior to the audit, WSDOT purchased a hard drive shredder. After making relatedelectrical system improvements in its facility, WSDOT began operating the shredder inNovember 2013. WSDOT now shreds all hard drives. CompleteÌ WSDOT: Update procedures for safe data disposal to align with OCIO standards. By June 30,2014.Ì Parks: Document safe data disposal procedures. By April 18, 2014.SAO Recommendation 6: As a best practice, the Departments of Ecology, Fish and Wildlife,Health, Labor and Industries, Revenue, Social and Health Services, Transportation and State Parksand Recreation Commission should include in their procedures a step to verify and record thatconfidential data is appropriately removed from computer hard drives before releasing to surplus.STATE RESPONSEWhile many of these agencies were found to be in compliance with OCIO standards at the time ofthe performance audit, we agree that all agencies should have practices and procedures forverifying that all confidential and other data is completely erased or destroyed prior to release forsurplus. The OCIO will make this more clearly required for all state agencies in its standards andwill work with them to update their procedures appropriately.Action Steps and Time FrameÌ The OCIO will work with all state agencies/organizations to require them to include averification step in their data disposal procedures. By May 30, 2014.Page 5 of 5Safe Data Disposal :: Organizations Responses | 23STATE OF WASHINGTONPhone: (360) 725-7000MIKE KFIEIDLEHSTATE INSURANCE COMMISSIONER OFFICE OFINSURANCE COMMISSIONERApril 3, 2014Chuck Pfeil, Director of Performance AuditWashington State Auditor?s OfficePO Box 40021Olympia, WA 98504-0021Dear Mr. Pfeil:This letter serves as the Office of Insurance Commissioner's (OIC) formal written response tothe Safe Data Disposal Performance Audit. The OIC appreciates the opportunity to review andrespond to your recent performance audit on Safe Data Disposal.I am pleased to see that the sample audit findings did not indicate the OIC had released surplusequipment containing confidential data. In addition, based on guidance from the state Office ofthe Chief Information Officer and industry trends, over the past year the OIC has adopted thinclient technology for our user base. Through this effort, we have already removed the vastmajority of OIC desktop computers, replacing them with thin client units. As such, we have veryfew personal computers on desktops, further mitigating any risk of an inadvertent release ofconfidential data.The OIC will continue to surplus any remaining personal computers following our procedures,which comply with guidelines provided by the state Office of the CIO. Further, we willdocument our existing verification step, ensuring it is clear that we have removed dataappropriately from the hard drives.Sincerely, es T. Odiorne, CPA, JDChief Deputy Insurance CommissionerMailing Address: P. O. Box 40255 - Olympia. WA 98504-0255Street Address: 5000 Capitol Blvd. - Tumwater. WA 98501-: Safe Data Disposal Organizations Responses 24Appendix A: Initiative 900Initiative 900, approved by Washington voters in 2005 and enacted into state law in 2006, authorized the StateAuditor’s Office to conduct independent, comprehensive performance audits of state and local governments.Specifically, the law directs the Auditor’s Office to “review and analyze the economy, efficiency, and effectivenessof the policies, management, fiscal affairs, and operations of state and local governments, agencies, programs, andaccounts.” Performance audits are to be conducted according to U.S. General Accountability Office governmentauditing standards.In addition, the law identifies nine elements that are to be considered within the scope of each performance audit.The State Auditor’s Office evaluates the relevance of all nine elements to each audit. The table below indicates whichelements are addressed in the audit. Specific issues are discussed in the Results and Recommendations section ofthis report.I-900 elementAddressed in the audit1.2.No. The audit did not identify cost savingsNo. The audit did not address services that could be reduced oreliminated.No. The audit did not assess whether sanitizing or destruction ofhard drives could be transferred to the private sector.Yes. We performed fieldwork at agencies that we discoveredprotected data on their surplus PC and/or laptop hard drivesduring Objective 1 fieldwork. We discovered that the OCIO 141.10Security Standard does not give enough direction to agencieson necessary procedures to ensure they meet the state's datadisposal requirements.No. The audit did not address pooling of information technologysystems.Yes. We analyzed how state organizations managed their surpluscomputer materials and recommended improvements to theirdata disposal processes.Yes. The audit report does recommendation that the OCIO 141.10Standard be revised to give entities more clear direction onsafeguarding data when sending hard drives to surplus.No. The audit did not address the agency’s performancemeasures and self-assessment systems.3.4.5.6.7.8.9.Identification of cost savingsIdentification of services that can be reduced oreliminatedIdentification of programs or services that can betransferred to the private sectorAnalysis of gaps or overlaps in programs orservices and recommendations to correct gaps oroverlapsFeasibility of pooling information technologysystems within the departmentAnalysis of the roles and functions of thedepartment, and recommendations to change oreliminate departmental roles or functionsRecommendations for statutory or regulatorychanges that may be necessary for the departmentto properly carry out its functionsAnalysis of departmental performance, dataperformance measures, and self-assessmentsystemsIdentification of best practicesYes. The National Institute of Standards and Technology (NIST)Special Publication 800-88 - Guidelines for Media Sanitation.Safe Data Disposal :: Appendix A | 25Appendix B: OCIO Best Practice GuidanceOn February 12, 2014, the State Chief Information Officer, Michael Cockrill, sent an email to the Chief InformationOfficers of our state organizations with the following message and information on media handling best practices.“The Office of the CIO (OCIO) has been working with the Washington State Auditor regarding anin-progress audit that has exposed a need for us to refocus on how we handle the deletion of data fromend-of-life PCs and electronic devices.To ensure state data does not fall into the wrong hands, we have a responsibility to guarantee that allstate data is removed from PCs and other electronic devices before they are disposed. The security risksarising from unintended exposure of state data are very real. For this reason, I ask that you make thedeletion of data from PCs and other electronic devices prior to disposal a priority in your agency.The requirements for securely deposing data from media can be found in Section 8.3 of the OCIO SecurityStandards. This section provides information on how media is to be sanitized and references guidelinesto be used to ensure data is securely deleted.In addition to our existing standards, today I am announcing that the OCIO is now providing informationon best practices for data disposal and locations where free tools can be found to satisfy the requirements.These can be found on the OCIO website in the document Media Handling and Data Disposal BestPractices.As the cyber security threat landscape continues to evolve, it is necessary to employ new, modern measuresto protect our data assets from unauthorized exposure as well. During the next monthly CIO meeting,I will ask for volunteers from the CIO community to help us modernize our approach to deleting datafrom end-of-life devices, elevating hard drive destruction and recycling as a preferred option for agencies.Thank you in advance for bringing this important matter to the attention of your staff and yourcooperation in making sure that sensitive state information remains secure.”Michael CockrillChief Information OfficerOCIO’s Media Handling and Data Disposal Best Practices InformationThe rest of this section is information the CIO included in the February 12, 2014 email to state organizations:Agencies must establish formal, documented media disposal procedures. Documented procedures are critical, asthey help ensure that effective processes are consistently applied, regardless of staffing changes or turnover.While the OCIO IT Security Standards provide some latitude on how the requirements in Section 8.3, MediaHandling and Disposal, can be met, there are many best practices that agencies can adopt to ensure they areprotected from unauthorized access to agency data. In addition, agencies should be mindful of the data retentionrequirements for any data contained on storage media to be disposed.Maintain secure control and custody of media to be disposed• Media to be disposed must stay within the control of the agency from the time it is collected to the time it issanitized.• Pick-up/Transit – Storage media to be disposed should be collected by be in the constant possession of adedicated, trusted personnel• Media should be maintained in a secure, locked area until it can be sanitizedSafe Data Disposal :: Appendix B | 26Render all data on the media unusableWhen files are deleted from a computer, emptied from the Recycle Bin or even by reformatting, if it is not overwrittenit can be easily recovered using commonly available tools.• Don’t delete the data– destroy it• All data should be rendered unusable using special software designed for this purpose (See examples atbottom of page)• Meets the requirements of Section 8.3 of the OCIO IT Security StandardsPhysical destruction is an option• Agencies may physically destroy the media itself rather than sanitize the media• This typically takes the form of shredding or pulverization, ensuring the media can never be used again.• Any media that cannot be sanitized through the use of software tools must be physically destroyed.Private companies are available to perform this service, and agencies must be sure that they can maintain controlof the media from the time it leaves the agency until the time it is actually destroyed. When pursuing thisoption, agencies should consider those companies that dispose or recycle these materials in an environmentallyresponsible way.Keep Detailed RecordsAgencies should maintain records that document all media disposal activities, as this can provide agencies with themeans of confirming that specific media was disposed of properly if it is later called into question.Records for disposed media should include:• Information about the media (type, serial number, other unique identifiers)• The date the media was sanitized• The person performing the activity• The method used to render all data unusable (e.g. software tool used or physical destruction of the media)• The signature of the person responsible for ensuring that all data on the storage media has been renderedunusable.Provide evidence of disposalIn addition to keeping records, it is a good idea to identify media that has been sanitized. This can include:• Affi xing a sticker or a document to the device or CPU indicating that the data sanitation process wascompleted. This helps agencies easily identify and segregate machines internally, and lets others, such asDES Surplus, know that the media has been wiped and can be made available for use by others.The National Institute of Standards and Technology (NIST) 800-88“Guidelines for Media Sanitation”The OCIO Security Standards Section 8.3 references The National Institute of Standards and Technology (NIST)800-88 “Guidelines for Media Sanitation” as a best practice which in Section 4, page 12 and Sections 4.7 and 4.8,page 15 (see excerpts below) recommends that processes used by organizations to remove confidential data shouldinclude a documented verification step to ensure confidential data and/or hard drives have been removed fromcomputers before they are sent to surplus.See also NIST website: http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_with-errata.pdfNIST 800-88 - Section 4, Page 12:Information Sanitation and Disposition Decision MakingOrganizations can use Figure 4-1 with the descriptions in this section to assist them in making sanitizationdecisions that are commensurate with the security categorization of the confidentiality of information containedon their media. The decision process is based on the confidentiality of the information, not the type of media. Onceorganizations decide what type of sanitization is best for their individual case, then the media type will influencethe technique used to achieve this sanitization goal.Safe Data Disposal :: Appendix B | 27Exhibit A: An example of data disposal decision flow from the NIST guidanceFigure 4-1. Sanitization and Disposition Decision FlowNIST 800-88 - Sections 4.7 and 4.8, Page 15:4.7 Verify MethodsVerifying the selected information sanitization and disposal process is an essential step in maintaining confidentiality.A representative sampling of media should be tested for proper sanitization to assure the organization that properprotection is maintained. Verification of the process should be conducted by personnel without a stake in any partof the process.4.7.1 Verification of EquipmentVerification of the sanitization process is not the only assurance required by the organization. If the organization isusing sanitization tools (e.g., a degausser), then equipment calibration, as well as equipment testing, and scheduledmaintenance, is also required.4.7.2 Verification of Personnel CompetenciesAnother key element is the potential training needs and current expertise of personnel conducting the sanitization.Organizations should ensure that equipment operators are competent to perform sanitization functions.4.8 DocumentationIt is critical that an organization maintain a record of its sanitization to document what media were sanitized,when, how they were sanitized, and the final disposition of the media. Often when an organization is suspected oflosing control of its information, it is because of inadequate record keeping of media sanitization. Organizationsshould ensure that property management officials are included in documenting the media sanitization process inorder to establish proper accountability of equipment and inventory control.Organizations should conduct sensible documentation activities for media containing low security categoryinformation. These are generally considered a consumable or perishable item by property management.Safe Data Disposal :: Appendix B | 28Appendix C: Free Data Erasure SoftwareOn February 12, 2014, the State Chief Information Officer, Michael Cockrill, gave state organizations the followinglist of free software utilities that can be used to meet the Office of the CIO’s IT Security Standards data and mediadisposal requirements:DBAN (Darik’s Boot and Nuke) - http://www.dban.org/• Data Sanitization Methods: DoD 5220.22-M, RCMP TSSIT OPS-II, Gutmann, Random Data, Write ZeroEraser Portable - http://portableapps.com/apps/security/eraser-portable• Data Sanitization Methods: DoD 5220.22-M, AFSSI-5020, AR 380-19, RCMP TSSIT OPS-II, HMG IS5,VSITR, GOST R 50739-95, Gutmann, Schneier, Random DataMicrosoft’s SDelete - http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx• Data Sanitization Methods: DoD 5220.22-M, Gutmann, Random DataFreeraser - http://download.cnet.com/Freeraser/3000-2144_4-10909403.html• Data Sanitization Methods: DoD 5220.22-M, Gutmann, Random DataSafe Data Disposal :: Appendix C | 29Appendix D: Statistical Sampling ResultsDuring our six-week review period, 1,215 computers were sent to the state surplus program.We developed a stratified random sample to test about 30 computers during each week. Basedon the data we reviewed, our estimate is that 109 of the 1,215 computers contained confidentialdata. See the table below for information on our weekly reviews during the sample period.Stratified statistical sample results of computers sent to the surplus programComputers sent fordisposalComputers inour sampleComputers withconfidential dataWeek 1535315Week 2253291Week 348303Week 4100271Week 597260Week 61823411,21517711Time periodTotalSource: State Auditor’s Office analysis.The table below shows our overall estimate for computers containing confidential data duringour six week testing period, as well as the lower and upper limits.Estimates of computers with confidential data during the sample periodPercent of computersNumber of computersEstimate9%109Lower limit3%38Upper limit15%180Source: State Auditor’s Office analysis based on a 90% confidence level.Safe Data Disposal :: Appendix D | 30