A financial services company is decommissioning several servers that were used to process and store customer financial records and Personally Identifiable Information (PII). The company's data retention policy no longer requires the data to be kept. Management has mandated that the data must be destroyed in a way that provides the highest level of assurance against data recovery. Which of the following methods should the administrator use for the hard drives?
Physically shred the hard drives.
Perform a multipass wipe on the hard drives.
Degauss the hard drives.
Reformat the hard drives and repurpose them in a test environment.
The correct answer is to physically shred the hard drives. For highly sensitive data such as PII and financial records, physical destruction provides the highest level of assurance that the data is completely irrecoverable. According to NIST SP 800-88, the 'Destroy' method, which includes shredding, pulverizing, or incinerating, renders data recovery impossible.
Degaussing, which uses a powerful magnetic field, is a valid data destruction method for magnetic media like traditional Hard Disk Drives (HDDs), but it is completely ineffective on Solid-State Drives (SSDs) which do not store data magnetically. Since a server environment may contain SSDs, relying on degaussing alone is a risk. Performing a multipass wipe is a data sanitization technique, but it does not provide the same level of certainty as physical destruction and may not be considered sufficient for the highest level of security. Reformatting and repurposing the drives is entirely inappropriate for this scenario as reformatting does not securely erase data, leaving it vulnerable to recovery.