As part of your data storage and retention activities, there will be times when you need to completely remove data from storage media. There will also be times when it makes sense to destroy the media on which data is stored.
In this tip, instead of reviewing data sanitization products and services, we'll examine how current legislation, regulations and standards address this issue.
Standards and practices
ARMA International (www.arma.org) has a book called Contracted Destruction for Records and Information Media that provides guidance on how to obtain data and media destruction services. It can be used by users and data destruction vendors alike.
NIST Special Publication 800-88, Guidelines for Media Sanitization, September 2006. This standard, produced by the National Institute for Standards and Technology, provides detailed guidance on sanitizing data storage media. It supports key provisions of another widely used NIST standard, SP 800-53, Recommended Security Controls for Federal Information Systems.
US Department of Defense (DoD) 5220.22-M: National Industrial Security Program Operating Manual (NISPOM) provides baseline standards for the protection of classified information released or disclosed in connection with classified contracts under the National Industrial Security Program (NISP). Its guidelines include data sanitization; however, standards for sanitization are left up to individual Cognizant Security Authorities (who provide oversight on all aspects of security program management) within defense and intelligence community agencies.
Establish a policy
Start by establishing a data destruction policy to complement your data retention policy. Data retention policies and procedures are specific requirements in many current U.S. laws, such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). While data destruction is not specifically addressed in these and other laws, a data destruction policy ensures that devices and media no longer being used have their contents securely removed, destroyed or overwritten, making it extremely difficult or impossible to later retrieve valuable data. Having a data destruction policy also reduces the likelihood of a data and/or privacy breach, thereby reducing the liability your organization could face as a result.
In addition to a data destruction policy, it's advisable to have formal documentation procedures confirming the process used to destroy the data and/or media. Most current legislation that requires data management policies and procedures also requires that there is formal documentation of all data retention and destruction activities. It also provides evidence to the court that the data in question does not exist.
One of the key components in a data destruction policy is the technique used to securely destroy the data and/or storage media. Four techniques are regularly used:
- Overwriting. Usually implemented in software, this process simply and securely overwrites the storage medium with new data. Known as wiping, it's as simple as writing the same data (e.g., all zeros or a specific character pattern) everywhere on the media.
- Degaussing. This technique electronically removes the magnetic field of a disk or drive using a device called a degausser. When used properly, degaussing renders a disk unusable. However, it may be possible for the manufacturer to reformat the disk at the factory.
- Encryption. Typically used to secure data from unauthorized access, encryption can also be used to make it impossible to access data on a storage device. By encrypting all data stored on a device and using a very strong decryption key, access to the data can be effectively prevented.
- Physical destruction. This technique is generally considered the most secure and permanent type of destruction method. The media must be thoroughly destroyed, as even a small piece of the disk may still contain data. Typical techniques include breaking the media apart via grinding or shredding; incinerating the media; applying corrosive chemicals (e.g., acids) to the disk surface; vaporizing or liquefying the media; or applying extremely high voltage to the media.
Sarbanes-Oxley requires that strict records retention policies and procedures must be in place, but it does not specify a particular data storage format. It does require corporate officers to institute internal controls on their information to ensure completeness, correctness and quick access. There is one exception to the specifics: Accounting firms are specifically mentioned in Sarbanes-Oxley. The act calls for accounting firms that audit publicly traded companies to keep related audit documents for no less than seven years after the completion of an audit. Violators can face up to $10 million in fines and 20 years in prison.
Similar to SOX legislation, HIPAA legislation focuses on protecting electronic personal health information, or ePHI. The three principal criteria for protection of health data in HIPAA are confidentiality, integrity and availability. Data retention addresses the third requirement, and even though HIPAA doesn't specifically address data sanitization and when to destroy data/media, be sure to address them in your data retention program.
Effective use of data sanitization techniques can minimize the chance that valuable data could be stolen or compromised. Many options are available to permanently destroy data and media. With an official data sanitization policy in place, plus some of the documents we have suggested in this tip, you can cost-effectively handle your data destruction requirements and be compliant with relevant legislation as well.
About the author: Paul Kirvan, CISA, FBCI, has more than 24 years of experience in business continuity management (BCM) as a consultant, author and educator. He has completed dozens of BCM consulting and audit engagements that address all aspects of a business continuity management system (BCMS) and which are aligned with global standards including BS 25999 and ISO 22301. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter and a member of the BCI Global Membership Council. He can be reached at firstname.lastname@example.org.
This was first published in July 2012