It’s safe to assume you have quality assurance processes in place for the major aspects of your IT, whether it’s for software development, or network or system deployment. But do you have a specific QA check in place when it comes to your data erasure process? Are you actively checking to make sure that the wiping of your drives has been completely successful?  Even if just a little bit of data is left on a drive it is considered a breach.

Just think – any process that requires people to complete multiple steps has opportunity for errors or missed steps.  If more than one person does it, or it doesn’t get done as a regular part of someone’s job, the risk of error is higher.  If you don’t have a dedicated bench and technology you can use for all your devices, you are much more likely to run into quality issues.

So what could cause a hard drive wipe to not be completed properly (i.e. fail a QA test)? There could have been an unknown virus on the drive, physical damage to the disk or drive head, a tech could have hit the wrong button while running the erasure software, or the hard drive might not have been installed/seated properly in the device in the first place – ultimately many things could cause potential issues, and not all of them are obvious.

A data erasure quality assurance check process should help you avoid (or spot) these issues by working through your hardware in batches and running forensic QA checks as you go.

A good quality check should include a forensic check, physically verifying the information and data collected up to that point in the process. This is typically done through checking a sample of 5-10% of the material for accuracy and that it’s being processed properly.

The forensics QA should be done during processing (as you go), not after you have processed many units.  The idea here is to avoid the risk of putting material that hasn’t been sanitized properly into your “completed” stack and then have to go back and pull that entire collection of devices to recheck and re-wipe. Keep a log of the devices that have been wiped and then rechecked for QA.

If your QA sample is 10%, then every time you erase 10 drives, you should do a forensics check on one of them.  If it fails, you re-wipe all 10, then do the forensics check on all 10.  If any of them fail this second check, they should all be destroyed because it’s likely they cannot be completely erased for some reason.

Keeping groups/batches small minimizes the chance of destroying perfectly good drives (and losing value).  If you wait until you have processed 100 units to do the QA check, you then would need to go back and re-wipe and forensics check all 100 – assuming you are adhering to that policy. If quite a few of your batches are failing, know you need to stop and review/reassess your process and technology.

It’s also important to note that you should have a separate software tool to help you run these checks than the tool you’re using for the erasure, and a separate LAN (if you are using a LAN/network based tool).

As far as “how much” to check, 5% is the minimum you should be sampling.  NAID requires certified vendors to sample check no less than 5% of hard drives wiped, and the e-Stewards standard requires similar forensic checking.  However if you are making a process or software change to the data erasure process, we strongly suggest you increase your sample size to 20% for a short time to ensure the new procedure is effective.

If data erasure quality assurance isn’t something you want to be responsible for in-house, you can seek out a NAID AAA certified outside partner that delivers the standard of data protection you need (NIST 800-88, DoD 5220-M).  A certified vendor should be able to walk you through and demonstrate their QA procedures that ensure your data is wiped completely and you do not risk any sort of data breach.

To learn more about best practices when it comes to disposing of and recycling your old IT assets, check out this free comprehensive guide on Minimizing the Risk of IT Asset Disposition.