[Faccus] [Sec-wg] Hard drive degausser

Jason Testart jatestart at uwaterloo.ca
Tue Jan 31 12:17:51 EST 2012


This sounds like a good issue to raise at CTSC and/or UCIST.

There are many scenarios where I believe it's OK to just send back a
failed drive (unencrypted) for warranty.
Situations include:

  - A disk for a server hosting public information.
  - A managed workstation where user data is stored on central storage.
  - A disk containing research information where the information is not
"Restricted". In this case, you can explain the risks to the researcher
and let the researcher decide, since it's their data.

For workstations/laptops containing Restricted information - those need to
be encrypted. The recent UVic experience has taught us that.

The tricky scenario, in my view, is shared storage that is typically
"enterprise" grade.  Storage in secure server rooms containing data of
mixed security classifications.  I think there needs to be some kind of
risk analysis there that needs to be considered and evaluated by
CTSC/UCIST.

jt 

-- 
Jason Testart, BMath, CISSP
Director, Information Security Services
Information Systems & Technology
University of Waterloo
Waterloo, Ontario CANADA
+1-519-888-4567 x38393




On 12-01-31 11:44 AM, "Robyn Landers" <rblander at mfcf.math.uwaterloo.ca>
wrote:

>> Otherwise, from what we are seeing, kiss your warranty coverage
>> goodbye.   If you can't wipe the drive through software and if
>> degaussing voids your warranty, you have no redress.  If you do not
>> have your Policy 8 "Confidential" data encrypted on the drive using
>> whole disk encryption, your options appear limited-- the drives must be
>> securely destroyed[2].
>
>
>So now I have to tell researchers that they will not be allowed
>to use the hardware maintenance contracts they buy for their
>RAID arrays to cover disk failures, they have to buy new disks.
>Who is going to pay for those?
>
>And internally we will not be allowed to use our hardware maintenance
>contracts with NetApp to replace failed drives, we'll have to buy
>new ones.   Who's going to pay for those?
>
>
>Robyn
>_______________________________________________
>Sec-wg mailing list
>Sec-wg at lists.uwaterloo.ca
>https://lists.uwaterloo.ca/mailman/listinfo/sec-wg




More information about the Faccus mailing list