I'm looking to gather insights into how companies manage documentation when wiping drives before discarding hardware like servers or laptops. What types of proof do you retain after performing the wipe? Do you save reports from tools like Blancco or KillDisk? Do you enter information in a ticketing system, or generate certificates of destruction? And when auditors come asking for proof of sanitization, what exactly do they expect to see? Is there a standard approach that most organizations follow, or is it a mixed bag? I'm really trying to understand how enterprises handle this process as I'm not finding clear-cut answers anywhere.
5 Answers
In a past job, we decommissioned drives with machines that printed out a destruction certificate with each serial number. I can’t remember if it truly wiped the drive or just wrote zeros though.
A lot of us just remove the drives and use certified services to shred them. We've got witnesses during the process, plus records of the serial numbers for compliance.
We use degaussers that check serial numbers and take photos of the drives as they get wiped. They also generate a report to confirm the field strength used during the degaussing process.
Wow, that's some high-tech stuff! Didn't know they were that advanced now.
Our process is to create a ticket that kicks off the disposal. Then we get a certificate of destruction from a third party. It really depends on the security standards we're following, though.
What’s interesting is if auditors just accept that ticket and the certificate as proof. Is there more they expect in between?
My company does on-site drive shredding, and we get certificates for each drive destroyed. This has helped satisfy most audit requests. We keep both physical and digital records.
That’s smart! But what extra info do auditors usually ask for beyond that certificate?
Totally! We even have a truck show up, and two different people are there to make sure everything goes smoothly.