By Wilson P. Dizard III,
GCN Staff
Retrieved 22 Feb 2007
Auditors rap DOE’s computer disposal methods
The Energy Department’s Inspector General, Gregory H. Friedman, has found fault with the Idaho National Laboratory’s technical procedures for removing restricted nuclear data and confidential data from old computers.
DOE agreed with the conclusions of a report Friedman’s office issued, which essentially recommended that the Idaho laboratory adopt and enforce all department policies regarding the handling of excess computers.
Like other DOE and federal agencies, INL operates under laws and rules requiring it to remove various categories of restricted information from its system before disposing of them. DOE refers to the disposal process as “excessing.” Excessing can involve transferring computers to other agencies or donating them to schools. Systems can also be sold or salvaged, according to a newly released report from Friedman’s office.
Regulations require that various types of information must be removed from the computers before DOE releases them, according to the report. They include:
- Unclassified controlled nuclear information;
- Proprietary information;
- Export controlled information;
- Official use only information; and
- Personally identifiable information, such as employees’ social security numbers, birth dates and places of birth.
The IG’s auditing staff found that INL had sold a computer containing unclassified controlled information, including personal information, at a public auction in October 2004.
“We concluded that INL did not have adequate policies and internal controls for excessing computers and other electronic memory devices to prevent the unauthorized dissemination of unclassified controlled information,” the report stated.
They added that they did not uncover any additional releases of the controlled information.
According to the report, DOE and its contractor who operates the Idaho lab had failed to properly update their procedures for computer disposal during a 16-month period beginning in November 2004.
Eliminating data from computer systems set for disposal can be an expensive and specialized task.
For example, PC hard drives must be “degaussed,” or exposed to magnetic fields that sanitize their content. Also, in many cases where the hard drives have contained classified information, federal agencies have adopted the policy of destroying the components in metal shredders.
The auditors toured INL’s facilities for storing excess computers and shipping them offsite for disposal after degaussing. They found many hard drives kept in a wooden box outdoors in the lab’s property protection area.
“INL officials told us that the box had been outside for at least two years and contained a mixture of degaussed and non-degaussed/non-sanitized hard drives excessed from INL,” the report said. “INL officials told us that it was possible some of the non-degaussed/non-sanitized hard drives contained unclassified controlled information. The nature of the work performed at INL supports the likelihood of such a possibility.”
In response to the auditors’ concerns about the security of the information on the hard drives, as well as risks posed by the possibility that unsupervised visitors could roam the excess computer storage area, DOE officials said they would tighten their procedures.