Skip to main content

Device & Endpoint Physical Security › Secure Disposal of Hardware and Media

Secure Disposal of Hardware and Media

When hardware reaches end of life, the data it contains does not disappear with it. Hard drives, SSDs, USB sticks, backup tapes, and even printers retain sensitive information long after the device is decommissioned. Improper disposal is one of the most common — and most preventable — causes of data breaches. Executives must ensure that their organisation has a documented, auditable disposal process that meets regulatory requirements and eliminates the risk of data recovery from discarded equipment.

Disposal Methods and Standards

  • Data wiping. Software-based overwriting (meeting NIST SP 800-88 standards) is suitable for devices being reused or resold. Multiple-pass overwriting ensures data cannot be recovered with standard tools.
  • Degaussing. Magnetic media (traditional hard drives, tapes) can be rendered unreadable by exposing them to a strong magnetic field. Degaussing is irreversible and makes the media permanently unusable.
  • Physical destruction. Shredding, crushing, or incineration provides the highest assurance that data is unrecoverable. This is the recommended method for highly sensitive data and is mandatory for some regulatory frameworks.
  • SSD-specific considerations. SSDs use wear-levelling algorithms that can leave data fragments in inaccessible areas. Standard overwriting may not reach all data. Manufacturer-provided secure erase commands or physical destruction are the only reliable methods.

Chain of Custody and Documentation

  • Asset tracking. Maintain a register of all hardware awaiting disposal, including serial numbers, data classification, and assigned disposal method.
  • Certificates of destruction. Require written certificates from disposal vendors confirming the method used, date of destruction, and serial numbers of destroyed items. Retain these certificates for audit purposes.
  • Vendor due diligence. If using a third-party disposal vendor, verify their certifications (e.g., ADISA, R2, e-Stewards), insurance coverage, and chain-of-custody procedures before handing over any equipment.
  • On-site destruction. For the most sensitive data, require on-site destruction where the disposal vendor brings equipment to your premises and destroys media under your supervision.

Action Steps:

  1. Document your hardware disposal process and ensure it specifies the appropriate method for each data classification tier.
  2. Audit your disposal vendor’s certifications and request a sample certificate of destruction.
  3. Inventory all hardware currently awaiting disposal and confirm that no devices are sitting in storage without a scheduled destruction date.

Quick Knowledge Check

  1. Why is standard software overwriting insufficient for SSDs?
    Because SSDs use wear-levelling algorithms that distribute data across flash cells, leaving fragments in areas that standard overwriting tools cannot access. Manufacturer secure erase commands or physical destruction are required instead.
  2. What is the purpose of a certificate of destruction?
    It provides auditable evidence that specific devices were destroyed using an approved method on a specific date, satisfying regulatory requirements and demonstrating due diligence in the event of a compliance audit.