NIH Disk Sanitization Procedures
1.0 Identification Data
1.1 BSP Number
00018
1.2 BSP Title/Name

NIH Disk Sanitization Procedures
1.3 Version Number
1.0
1.4 Adoption Date
June 1, 2001
1.5 Approving Authority
CIO Council Security Practices Subcommittee (SPS)
1.6 Responsible Organization
National Institutes of Health (NIH), Center for Information Technology (CIT), Information Security and Awareness Office (ISAO)
1.7 Level of BSP
Candidate
1.8 Security Processes or other Framework(s) Supported
  • BSP Security Process Framework (SPF): Section 2.6.3.5, Security Program Management, Sanitize Storage Media.
  • Generally Accepted Principles and Practices for Securing Information Technology Systems (NIST SP 800-14), par. 3.7.2: Sanitize Storage Media 1.9 Reserved
1.9 Reserved
1.10 Points of Contact

Government BSP Owner:
Yes, post this contact information with the publicly accessible BSP.

  • Kevin Haney, CISSP
    6100 Executive Blvd., Suite 2B03, MSC 7505
    Bethesda, MD 20892-7505
    Telephone: 301-402-1812
    Fax: 301-402-4464
    E-mail: haneyk@mail.nih.gov


Secondary POC:

  • W. Ron Hess, CISSP, CDP
    Information Security and Awareness Office (ISAO)
    6100 Executive Blvd., Suite 2B03, MSC 7505
    Bethesda, MD 20892-7505
    Telephone: 301-402-4443
    Fax: 301-402-4464
    E-mail: rh96b@nih.gov
2.0 What This BSP Does
2.1 BSP's Purpose
This BSP describes the procedure used throughout the NIH to sanitize data storage media. The NIH is one of eight health agencies of the U.S. Department of Health and Human Services. Comprising 27 separate components, mainly Institutes and Centers, NIH has 75 buildings on more than 300 acres in Bethesda, MD. From a total of about $300 in 1887, the NIH budget has grown to more than $20.3 billion in 2001
2.2 Requirements for this BSP
  • NIH Sanitization Policy states in part, "Before any NIH-owned or managed hard disk or system containing a hard disk is transferred, surplused, or donated, it must be sanitized by reformatting the hard drive in a secure manner or by using an approved wipeout utility."
3.0 What This BSP Is
3.1 Description of BSP
This practice and other NIH security information is available at http://www.cit.nih.gov/security.html.
There are several options for sanitizing hard disks and portable media prior to disposal or reuse. This BSP describes processes for sanitizing a workstation's hard disk that may contain data which must not be exposed to public view. These processes will also sanitize secondary bulk storage media.
3.1.1 Inputs
3.1.2 Process

Hard Disks

  • NIH personnel should contact the Scientific Equipment and Instrumentation Branch (SEIB) at 301 496-4131. This is a fee-for-service.
  • Responsible Administrative Units can sanitize their own hard disks using the following steps:
    Note: This process will erase everything on the disk, including the operating system and all application programs. It will be necessary to reinstall the operating system to return the workstation to normal operation.

    1. Intel-based systems (Windows)
    • Remove all boot-up and BIOS passwords.
    • Download the BCWIPE utility (a commercial utility site licensed by NIH) to a bootable floppy disk.
    • Reboot the system from the floppy drive containing BCWIPE, and follow instructions on the screen.
    • Reformat the system and load a bootable operating system (i.e., DOS or Windows) to ensure that the system is useable before being surplused.
    • Do not add boot-up and BIOS passwords.


    2. Macintosh systems

    • Remove boot-up passwords.
    • Boot from a floppy disc or CD-ROM with a good System Folder and Drive Setup on it. (Put the CD-ROM in, and press the C key right after the computer starts to boot from the CD-ROM.)
    • Run Drive Setup (stored in the Utilities folder).
    • Select the hard drive to be sanitized.
    • Go to the menu bar and select Functions: Initialization Options.
    • Select Low Level Format and Zero All Data; click OK.
    • Click Initialize...
    • A message will ask you to verify that you really want to erase everything on the drive. Click OK.

After the procedure is finished, you can install another OS on the workstation by starting from an install CD and installing the system. Mac OS 7.5.5 will install on most Macintoshes, and Apple gives it away free, so it is a good choice.
NIH personnel, who do not have access to the necessary Macintosh CD-ROMs or system diskettes, can call the CIT Technical Assistance and Support Center TASC).

3. UNIX systems

  • Remove boot-up passwords.
  • Wipe the system of all information and reload the operating system. See Section 1, above.
  • Do not add boot-up passwords.

Portable Media
Portable media (diskettes, tapes, CD-ROMs) may be destroyed by crushing, incinerating, shredding, or melting. If they are to be reused, portable media must be erased using a secure erasure program like Norton Utilities WIPEINFO before being issued to other parties. Programs other than WIPEINFO must be approved by the NIH Senior Information Systems Security Officer before being used.

Sanitization Certification Forms
The local Information System Security Officers (ISSOs) or their designee must sign a certification that the equipment has been properly sanitized before it can be surplused, transferred, or donated. The ISSOs should save copies of all certification statements.
3.1.3 Outputs
  • Sanitized hard disks and portable media
  • Signed Sanitization Certification Forms
3.2 Relationship to Other BSPs
BSP 00017, Remove All Data from Workstations & Servers for USAID

4.0 How To Use This BSP
4.1 Implementation Guidance
Please note if the system is non-operational or cannot be booted up, the hard disk must be crushed, drilled, degaussed, or incinerated.
4.2

Implementation Resource Estimates

None available.
4.3 Performance Goals and Indicators (Metrics)
None available.
4.4 Tools
  • BCWipe utility for Windows 95/98/ME/NT/2000 and Linux
  • WIPEINFO utility included with Norton Utilities 4.0
4.5 Training Materials
  • Copy of NIH Sanitization Policy.
  • Copy of Disk Sanitization Information.
Appendices
A Executive Overview and Briefing
None available
B Reference List
None at this time
C Procurement Information
  • The BCWipe utility for Windows 95/98/ME/NT/2000 and Linux is offered by Jetico, Inc. BCWipe supports a correspondent U.S. Department of Defense recommendations (DoD 5200.28-STD).
  • WIPEINFO utility is included with Norton Utilities 4.0 from Symantec.
D Evaluation Information
None available.
E Recommended Changes
None available.
F Glossary
None available.