When an individual or company makes the decision to
upgrade their computer network, the older equipment is often restructured to
work in another area of the business, sold on the secondary PC market, donated
to charity or otherwise destroyed. In
any of these scenarios, it is of the utmost importance that the existing data
residing on the hard drives of the computers are effectively erased
(sanitized).
Data sanitization is the process of deliberately,
permanently, irreversibly removing or destroying the data stored on a memory
device. A device that has been sanitized
has no usable residual data.
Sanitization processes include using a software utility that completely
erases the data, a separate hardware device that connects to the device being
sanitized and erases the data, and/or a mechanism that physically destroys the
device so its data cannot be recovered.
The
data destruction industry adheres to two specific sets of standards – D.O.D
5220.22-M and NIST publication 800-88.
Both of which state the minimum requirements for an effective data
destruction policy.
D.O.D
5220.22-M:
The Department of Defense Standard 5220.22-M, Section
5, Subsection 8.5.3 states that to effectively overwrite the data on recordable
media, each section of the disk must be overwritten three times, or what’s
known as three passes. On the first
pass, the data in each sector is replaced with a character. On the second pass, the character is replaced
with its complement. And, on the third
and final pass, the sector is filled with a random character. In addition, items which have been cleared
must remain at the original level of classification and in a secure, controlled
environment. It is important to note
that 5220.22-M DOES NOT recommend the three pass system for sanitization of
“top-secret’ information.
For
disks sanitization to fall under the D.O.D standards, the information on the
disk must be removed through a two-step process in which the three pass
procedure is completed first, and then followed by the removal of all classified
labels, activity logs and markings.
NIST
Publication 800-88:
NIST describes disc sanitization as “the removal of
data from storage media so that, for all practical purposes, the data cannot be
retrieved. Currently, there are three
primary methods for data sanitation: a) overwriting, b) degaussing and c)
physical disc destruction.
a.
Overwriting
– overwriting consists of using software to write (1s, 0s and/or a combination
of both) onto the media where the file to be sanitized is located. The number of times this is performed is
relative to the sensitivity of the information being sanitized.
b.
Degaussing
– there are two types of degaussing machines that exist today, electric and
strong magnet.
c.
Destruction
– the approved methods of disc destruction are as follows:
a.
Disk
shredding
b.
Pulverization,
smelting or disintegration at an approved metal destruction facility
c.
Application
of hydriodic acid and/or an abrasive substance
Summary:
At Tech
Reworks, Inc. we provide effective data destruction services by strictly
adhering to the specified set of guidelines listed above. At a minimum Tech Reworks performs three
passes on each drive. Every hard disk
that is processed by Tech Reworks for data destruction is received, asset
tagged and stored in a secured access room with full traceability of the
product throughout the entire process.
In conclusion, Tech Reworks primary data destruction objective is to
properly prevent secure or sensitive information from getting into the hands of
unauthorized individuals.
FAQ’s:
1.
How
do you know that Tech Reworks adheres to the industry standards for data
destruction?
Tech
Reworks provides the customer with the following:
a.
An auditable report of disc sanitization and/or
destruction including serial numbers and Asset Tag/ID.
b.
Chain of Custody documentation
2.
Are
there industry specific regulations for Data Destruction?
Yes,
industries that utilize customer information each have a set of regulations
that MUST be adhered to with regard to destroying that data. The industry specific regulations that MUST
be adhered to in addition to the D.O.D standards are as follows:
·
FACTA (Fair and Accurate Credit Transactions
Act)
·
GLB (Gramm-Leach Bliley) – banking and financial
institutions
·
HIPPA (Health Insurance Portability and
Accountability Act) – Healthcare Industry
·
SOX (Sarbanes-Oxley Act)
3.
How
does Tech Reworks ensure the customer that the software used to overwrite data
is effective?
Per
the Department of Defense software overwriting is an approved method for data
destruction, however; the software utilized MUST be capable of overwriting all
addressable locations on the media. If
unusable sectors are incapable of being overwritten or if any errors occur
during the overwriting process Tech Reworks flags the hard disk for degaussing
and/or physical destruction.
4.
What
are the differences between D.O.D 5220.22-M and NIST 800-88?
The
primary difference between the two standards is how many passes are required to
prevent data disclosure. The D.O.D
standard states clearly that three
passes must be conducted to sanitize a hard disk. The NIST standard states that one pass is effective enough to defy
conventional forensic recovery on a modern hard drive.
