An Audit Report on Data Security Related to the Disposal of Surplus and Salvage State Data Processing Equipment at the Texas Department of Criminal Justice and Selected State Agencies
July 2011
Report Number 11-040
Overall Conclusion
There are risks associated with disposing of data processing equipment that state agencies and higher education institutions (state entities) should avoid by removing information prior to the equipment's disposal so that data recovery is not possible. State entities can choose to dispose of data processing equipment through the Texas Department of Criminal Justice's (TDCJ) Computer Recovery Program (Program) or on their own. In addition to releasing confidential information, state entities risk violating software licensing agreements and disclosing trade secrets, copyrights, and other intellectual property when disposing or transferring data processing equipment with storage devices to non-state entities.
The TDCJ Program properly sanitized and substantially destroyed computer hard drives it received from state entities, school districts, and other political subdivisions. Sanitizing is the removal of data from media such as hard drives or other storage devices using methods to ensure that data recovery is not possible. However, TDCJ does not have procedures in place to identify all types of data processing equipment that contain storage devices-such as printers, copiers, or scanners-so that they can be sanitized. In addition, TDCJ should improve its processes to (1) verify that it receives all data processing equipment intended for the Program and (2) safeguard the physical security of the data processing equipment it receives.
The Program did not recover TDCJ's costs as required by Texas Government Code, Section 497.012 (related to the repair and resale of surplus data processing equipment), during fiscal years 2008 through 2010. The Program provides at no cost disposal services to state entities and refurbished data processing equipment to school districts and other political subdivisions. During fiscal years 2008 through fiscal year 2010:
- State entities relied on the TDCJ Program to dispose of 128,111 (66.8 percent) of the 191,814 items of data processing equipment they disposed, according to data from the State Property Accounting system.
- The Program provided 16,144 computers, printers, and scanners to 94 school districts and other political subdivisions in Texas.
- The Program recovered 23.3 percent of its costs; the program cost $3,338,690 to operate and generated $779,459 in revenue from scrap material sales.
Auditors also reviewed the disposal processes at two agencies and identified weaknesses that should be addressed to ensure that confidential data is protected. Specifically:
- The Texas Commission on Environmental Quality (TCEQ) did not properly sanitize its data processing equipment in compliance with state laws and rules. Of the 30 hard drives that auditors tested at TCEQ, 29 (96.7 percent) contained recoverable data, and some of those hard drives contained confidential data. TCEQ has taken steps to address this deficiency and management asserted that those 29 hard drives were subsequently sanitized before being transferred to non-state entities. In addition, TCEQ did not have procedures to identify and sanitize all equipment with storage devices.
- The Texas Parks and Wildlife Department (TPWD) properly sanitized computer hard drives prior to transferring the equipment to state and non-state entities; however, it could improve its processes to ensure that all hard drives go through the sanitization process. In addition, TPWD did not have procedures to identify and sanitize all equipment with storage devices.
Texas Government Code, Section 2054.130, requires state entities to permanently remove data from data processing equipment before disposing of or otherwise transferring the equipment outside of state property. State entities can find a link to a list of free software tools to sanitize data in the Department of Information Resources' Sale or Transfer of Computers and Software Guidelines.
Senate Bill 1 (82nd Legislature, 1st Called Session) would amend Texas Government Code, Chapter 2175, and make the Texas Facilities Commission responsible for the disposal of surplus and salvage property in Texas. The process outlined in this report may change as a result of the passage of Senate Bill 1. As of the release of this audit report, Senate Bill 1 was awaiting action by the Governor.