|
Auditors rap DOE's computer
disposal methods
By Wilson
P. Dizard III, GCN Staff
The Energy Department’s Inspector General,
Gregory H. Friedman, has found fault with the Idaho National Laboratory’s
technical procedures for removing restricted nuclear data and confidential data
from old computers.
DOE agreed with the conclusions of a report Friedman’s office
issued, which essentially recommended that the Idaho laboratory adopt and
enforce all department policies regarding the handling of excess computers.
Like other DOE and federal agencies, INL operates under laws
and rules requiring it to remove various categories of restricted information
from its system before disposing of them. DOE refers to the disposal process as
“excessing.” Excessing can involve transferring computers to other agencies or
donating them to schools. Systems can also be sold or salvaged, according to a
newly released report
from Friedman’s office.
Regulations require that various types of information must be
removed from the computers before DOE releases them, according to the report.
They include:
- Unclassified controlled
nuclear information;
- Proprietary information;
- Export controlled
information;
- Official use only
information; and
- Personally identifiable
information, such as employees’ social security numbers, birth dates and
places of birth.
The IG’s auditing staff
found that INL had sold a computer containing unclassified controlled
information, including personal information, at a public auction in October
2004.
“We concluded that INL did not have adequate policies and
internal controls for excessing computers and other electronic memory devices
to prevent the unauthorized dissemination of unclassified controlled
information,” the report stated.
They added that they did not uncover any additional releases
of the controlled information.
According to the report, DOE and its contractor who operates
the Idaho lab had failed to properly update their procedures for computer
disposal during a 16-month period beginning in November 2004.
Eliminating data from computer systems set for disposal can
be an expensive and specialized task.
For example, PC hard drives must be “degaussed,” or exposed
to magnetic fields that sanitize their content.
Also, in many cases where the hard drives have contained classified
information, federal agencies have adopted the policy of destroying the
components in metal shredders.
The auditors toured INL’s facilities for storing excess
computers and shipping them offsite for disposal after degaussing. They found
many hard drives kept in a wooden box outdoors in the lab’s property protection
area.
“INL officials told us that the box had been outside for at
least two years and contained a mixture of degaussed and
non-degaussed/non-sanitized hard drives excessed from INL,” the report said.
“INL officials told us that it was possible some of the
non-degaussed/non-sanitized hard drives contained unclassified controlled
information. The nature of the work performed at INL supports the likelihood of
such a possibility.”
In response to the auditors’ concerns about the security of
the information on the hard drives, as well as risks posed by the possibility
that unsupervised visitors could roam the excess computer storage area, DOE
officials said they would tighten their procedures.
|
