Amendments to proposal

As we have now confirmed that the contract with CCL specifically includes the requirement for them to safely dispose of disks, we are now in a position to amend and simplify our proposed policy.

  • We can expect CCL to safely to dispose of disks so there is no longer a need to routinely remove disks from desktop machines.
  • We should, however, wipe disks where we consider the data to be sensitive as a precaution prior to sending the disks to CCL e.g. for Admin staff desktops, most servers.
  • We should wipe any DICE desktop that is being reallocated as a self-managed machine.
  • Self-managed desktops being reallocated to another user for use as a self-managed desktop should have their disk wiped.
  • For self-managed desktops being reallocated as a DICE desktop, a re-install will suffice.
  • For self-managed servers being reallocated, a re-install should suffice.
  • For DICE servers being re-allocated to another Unit, a decision should be made at the time as to whether a re-install is sufficient.

We do, however, need to make sure that there is adequate auditability. We'll need to ensure that we receive some form of confirmation from CCL so that we can confirm that the machines that have been sent for disposal have been correctly dealt with. We do not appear to receive such confirmation at the moment.

The text below has been kept for comparison for now. The table at the bottom of the page has been updated.

Proposals for recycling disks

Update following Operational Meeting of 250712
  • After a general discussion at the meeting, it was decided that all disks will be removed and stored pending the result of the court case.

For DICE servers:

  • The Unit managing the server should be responsible for ensuring that all disks are wiped before disposal. This doesn't necessarily imply that the Unit has to do the wiping - support can do this if necessary - but it's the Unit's responsibility to ensure that it happens.

  • If machines are going for disposal, would it not be simpler to wipe the disk as part of the decomissioning process. Once the machine is disconnected it is much more difficult to wipe the disks.
  • I'd say the unit should do it themselves.
  • What happens with servers which are part of a hand-me-down chain? Should the original Unit assume that the new Unit will do enough? Or should paranoia prevail? What happens if the chain is changed between turn-off and handover?

For self-managed servers:

  • Support should check that the user has taken a copy/removed all the data that they require prior to disposal and then all disks should be wiped. It's unlikely that these machines will be reallocated but should this happen, the disks should be wiped. If the machine is being changed to a DICE machine, a reinstall is sufficient.

For MDP admin desktops:

  • Support should ensure that any disk from a Windows Managed desktop is wiped prior to disposal. If the machine is being reallocated as a self-managed machine, the disk should also be wiped. If the machine is being reallocated as a DICE machine, a re-install is sufficient.

For DICE staff/PhD desktops:

  • Prior to disposal, support should check with the user that they have removed all the data that they require from the hard disk. If there has been local user data, the disk should be wiped. If not, there is no need to wipe it ? If the machine is being reallocated as a self-managed machine, the disk should be wiped. If the machine is being reallocated as a DICE machine, a re-install is sufficient. (Or, if there has been local data, should we also wipe the disk ?)

  • What if it had been a self-managed server in a previous life? All these rules are rather tending towards a "just wipe" approach being the only safe one

For self-managed desktops:

  • As we cannot be sure what data is on a self-managed machine, support should wipe all disks prior to disposal. (Or, should we ask the user what data has been held/what the machine has been used for and then make a decision based on the answer ?). Support should also check with the user that they have removed all the data they require. If reallocating as a self-managed machine, disks should be wiped. If reallocating as a DICE desktop, a re-install is sufficient.

  • I'd suggest that it wouldn't be safe to rely on "the user", who might have inherited the machine from someone who has since left.

For lab desktops:

  • We should not need to wipe the disks prior to disposal but should do so if the machine is being reallocated as a self-managed machine.

General Responses

* Clarity is essential; and whatever we do decide should be documented somewhere that's easy to find.

* It would be easier I think to have a simple set of criteria which, if ALL met, certify a drive as safe to dispose without wiping. Adding any uncertainty to the process will allow data to leak out.

* The only thing unanswered is what to do with unreadable (i.e. faulty) drives where there's a good chance that the data is intact?

* For all of the above (excluding lab desktops), unless the machine is instantly being reinstalled as DICE, then always wipe when being decommissioned.

* So if being reallocated as self-managed, wipe prior to install.

* In the case of disposal, we still have to wipe until that court case is resolved and we can pass the buck to CCL North?

* Are the disc-wiping tools easily available on all (reasonably likely) subnets?

* We should also be wary of passing machines between users without first wiping them. In the table below I'd suggest that DICE desktop -> DICE desktop and MDP -> MDP should be "reinstall" rather than "n/a", and S/M desktop -> S/M desktop should be "wipe" rather than "n/a".

* There are different types of "DICE server", and whether we wipe or not should take the new use into account. "N/A" is therefore n/a for that column.

The table below attempts to provide a summary. The rows represent the current type of machine and the columns represent its next purpose/destination.

  DICE servers S/M servers MDP DICE desktops S/M desktops Lab desktops recycling
DICE servers re-install wipe disks n/a n/a n/a n/a wipe disks
S/M servers n/a wipe disks if going to new owner n/a reinstall wipe disks if going to new owner reinstall wipe disks
MDP n/a n/a n/a reinstall wipe disks reinstall wipe disks
DICE desktop n/a wipe disks reinstall n/a wipe if data on disk reinstall wipe if data on local disk
S/M desktop n/a wipe disks if going to new owner reinstall reinstall n/a reinstall wipe disks
Lab desktop n/a wipe disks reinstall reinstall wipe disks n/a no wiping

-- AlisonDownie - 12 Jul 2012

Edit | Attach | Print version | History: r10 < r9 < r8 < r7 < r6 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r9 - 25 Sep 2012 - 12:09:23 - AlisonDownie
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies