The secure disposal of sensitive electronic information is a serious concern for virtually every modern business or organization, but the means of doing so is anything but universal. There are no less than 20 different standards for using software to wipe hard drives and other memory devices, as well as different recommended methods of physical destruction.
While these standards are intended to define the best practices for destroying data, the fact that there are so many can make it difficult for end-users to parse. Take a look at some of the most common benchmarks, see how they differ, and learn which standard is right for your organization.
NIST 800-88 and DoD 5220.22-M: The Most Popular Standards
The National Institute for Standards and Technology (NIST) 800-88 is widely recognized as the current industry standard in the United States and is one of the two standards we use at CompuCycle for secure data destruction. The NIST 800-88 outlines four different types of data sanitization:
- Disposal: Simply discarding paper documents or other media with non-confidential information.
- Clearing: Rendering electronic data unreadable and irretrievable, as in data overwriting. Note that just hitting the delete key does not meet this standard.
- Purging: Protecting data from a “laboratory attack,” or highly skilled data thieves. For most ATA drives (also known as IDE drives) manufactured since 2001, clearing is equivalent to purging. However, for other types of magnetic media and older media, using a magnetic field to sanitize the data through a process called degaussing is necessary, or running a Secure Erase command on ATA drives.
- Destroying: Physical destruction, “the ultimate form of sanitization.” Processes include disintegration, pulverizing, incineration, melting, and shredding.
Although the Department of Defense no longer references 5220.22-M and governmental agencies offer refer the public to NIST 800-88, CompuCycle uses 5220.22-M in conjunction with NIST 800-88 because the latter does not prescribe specific guidance on the erasure process. Instead, it simply recommends data managers select a process based on the type of media involved, intended future use of that media, cost, time, environmental impact, and other factors.
The DoD 5220.22-M method calls for three passes of overwriting to all addressable hard drive locations: replacing data with first a 0, then a 1, and finally a random character, with verification of the write after each pass. DoD 5220.22-M (ECE) is a variation of the standard that utilizes seven passes, but three passes is sufficient to completely overwrite the data and is faster and less expensive.
Other Data Destruction Standard Options
Some other data destruction standards you may come across with certain providers or in certain geographic regions include:
- HMG Infosec Standard 5: Similar to the DoD 5220.22-M, the IS5 (or “CESG standard”) is the British government standard that calls for either degaussing, a one-pass or three-pass overwrite, or physical destruction. Secure Erase–a popular method of using firmware found on SATA- or PATA-type drives–is not approved.
- BSI-GS: Used by the German Federal Office for Information Security, this protocol features one overwriting pass with random data after removing hidden drives.
- Air Force System Security Instruction 8580: The latest Air Force standard requires two pseudo-random overwrites, followed by an overwrite with a set pattern of ones and zeros. At least 1% of the final overwritten data must be visually inspected to guarantee overwriting success.
- Navy Staff Office Publication (NAVSO P-5239-26): Also a three-pass standard, the Navy uses two predetermined characters then a random character and verifies at the end of the process.
These are just a few of the standards in use today. When using data destruction software, you may also see options for terms like “Gutmann method” or “PRNG” (pseudo-random number generator). These are not so much standards as they are methods of overwriting that differ in the number of passes or the exact characters used in the process.
Standards for Physical Destruction
Sensitive data doesn’t just mean “soft copy,” or electronic data; hard copy is an equally vital area of data that you can’t overlook. Fortunately, the standards are more homogenous because the end results are more easily verifiable.
Paper documents are an obvious example of hard copy, but PVC printers, which are commonly used to print employee badges, routinely leave virtual mirror images of whatever is being printed on the printer ribbon, which is often discarded intact by unsuspecting users. Electronic data devices that are damaged or otherwise unable to function enough to be wiped by software likewise need to be manually destroyed for full protection.
The gold standards for physical destruction come from the National Security Agency (NSA), which makes available to the public its own guidelines for destruction of media devices that contain up to “Top Secret” information. For example, the NSA’s recommendation for paper shredders is document shards of no more than 1 millimeter by 5 millimeters. For hard disk drives and other electronic devices, the Agency specifies 2 – 5 millimeters in edge length when shredding, or materials reduced to ash when incinerating.
For a complete list of NSA-approved storage device sanitization equipment, visit www.nsa.gov/resources/everyone/media-destruction/.
Which Data Sanitization Standard is Right for You?
Choosing the best data disposal standard involves considering variables such as:
- the degree of security you need
- your industry requirements
- whether you wish to reuse the devices
- your resources regarding time and cost
For the highest level of protection, you would want to combine a data erasure standard such as NIST 800-88 with physical destruction. This way, even if your devices are solid-state drives (SSDs), which store information in tiny amounts of physical space that a shredder might miss, you still have the added security of the data already having been overwritten.
Many industries have special laws and regulations that govern how citizens’ personal data is handled, but often the guidance is vague. For example, the U.S. Department of Health and Human Services (HHS) requires healthcare providers to undertake “appropriate” steps to safeguard protected health information (PHI) on electronic media as part of its Health Insurance Portability and Accountability Act (HIPAA) regulations.
The HHS refers practitioners to NIST SP 800-88, for good reason. Meeting the 800-88 standard is the best way to ensure you’re doing your due diligence as it relates to governmental compliance in all corporate environments, which is the reason we use it here at CompuCycle.
How to Achieve Your Desired Data Disposal Standard
A professional data sanitization company like CompuCycle can sanitize your devices to any level you specify, as well as provide an inventory report and either a Certificate of Data Sanitization or a Certificate of Data Destruction (depending on the sanitization method used) upon completion, for regulatory compliance purposes. The work will be done by “personnel without a stake in any part of the process,” an important guideline from NIST 800-88. After physical destruction, using a trusted vendor is the safest approach for data disposal.
However, there are free programs that can help you render your data unrecoverable at a set standard, such as DBAN, an open-source data wiping tool. While the program offers six different erasure standards, it can’t erase SSDs, offers no tech support, and is only recommended for home use. Other free DIY programs that give you options on your sanitization method include Securely File Shredder, Freeraser, and Bitkiller.