Bacho Foto - stock.adobe.com
As part of your data storage and retention activities, you occasionally must completely remove data from storage media, and might even destroy the media on which data is stored. Data sanitization is the process of totally and irreversibly destroying data on a storage device.
Media devices that you can sanitize include magnetic disks, flash memory devices, CDs and DVDs. If a device has been properly sanitized, there shouldn't be usable residual data, and even advanced forensic tools cannot recover any data. Data sanitization techniques include specialized software that erases data, specialized devices that connect to the storage media and erase the data and a process that physically destroys the media so you cannot recover data from the storage device.
Importance of data sanitization in backups
Once you no longer require backed-up data or its expiration date has passed, you must either archive or destroy it depending on your organization's data retention policies. If you store data on site, you might use various data sanitization techniques to fully destroy it, based on the storage medium. If possible, obtain a certificate of destruction, so that in the event of an IT organization audit, the auditor can examine and verify evidence of data destruction activities.
If you store data off site, such as in cloud backup storage, your cloud vendor must destroy your customer data for you. You must then verify that the data has been properly and fully destroyed and cannot be recovered. Before engaging with a cloud storage or other managed service provider, research what process it uses for data destruction and understand how the firm certifies complete destruction of data. An off-site data storage company's failure to certify data destruction means that data could possibly be recovered, especially if the storage vendor suffers a cyber attack that obtains access to customer data.
Standards and practices
ARMA International's book Contracted Destruction for Records and Information Media provides guidance on how to obtain data and media destruction services. Customers and data destruction vendors alike can use it.
The NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization (February 2015), produced by the National Institute of Standards and Technology, also provides detailed guidance on sanitizing data storage media based on an organization's categorization of data confidentiality for information. It supports key provisions of another widely used NIST standard, SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations.
Additional standards and regulations addressing data sanitization techniques include the following:
- the General Data Protection Regulation (GDPR) in several sections, such as Article 17, Right to erasure (right to be forgotten);
- PCI DSS (Payment Card Industry Data Security Standard) Sections 3.1, 3.2, 9.8.2 and 10.7;
- ISO/IEC 27001, Information Security Management, Sections A.8.3.2, Disposal of media, and A.11.2.7, Secure disposal or reuse of equipment; and
- New York State Cybersecurity Requirements of Financial Services Companies 23 NYCRR 500, Section 500.13, Limitations on Data Retention.
Importance of establishing a policy
Start by establishing a data destruction policy to complement your data retention policy. Data retention policies and procedures are specific requirements found in many current U.S. laws, such as the Sarbanes-Oxley (SOX) Act and the Health Insurance Portability and Accountability Act (HIPAA). A data destruction policy ensures that devices and media no longer being used have their contents securely removed, destroyed or overwritten, making it extremely difficult or impossible to later retrieve valuable data. Having a data destruction policy also reduces the likelihood of a data or privacy breach, thereby reducing the liability your organization could face as a result.
In addition to a data destruction policy, your organization should have formal documentation procedures confirming the process used to destroy the data and media. Most current legislation that requires data management policies and procedures also requires formal documentation of all data retention and destruction activities. This can provide evidence to the court that any data in question does not exist.
One of the key components in a data destruction policy and its associated destruction procedures is the technique used to securely destroy the data and storage media. Four techniques are regularly used:
- Overwriting. Usually implemented in software, this process simply and securely overwrites the storage medium with new data. Known as wiping, it's as simple as writing the same data (e.g., all zeros and ones or a specific character pattern) everywhere on the media.
- Degaussing. This technique electronically removes the magnetic field of a disk or drive using a device called a degausser. When used properly, degaussing renders a disk unusable. However, it may be possible for the manufacturer to reformat the disk at the factory.
- Encryption. Typically used to secure data from unauthorized access, encryption also can be used to make it impossible to access data on a storage device. By encrypting all data stored on a device and using a very strong decryption key, access to the data can be effectively prevented. By destroying the encryption key, the encrypted data can be permanently made inaccessible.
- Physical destruction. This technique is generally considered the most secure and permanent type of destruction method. The media must be thoroughly destroyed, as even a small piece of the disk may still contain data. Typical techniques include breaking the media apart via grinding or shredding; incinerating the media; applying corrosive chemicals (e.g., acids) to the disk surface; vaporizing or liquefying the media; or applying extremely high voltage to the media.
SOX requires organizations to have strict records retention policies and procedures in place, but it does not specify a particular data storage format. It requires corporate officers to institute internal controls on their information to ensure completeness, correctness and quick access. However, SOX also calls for accounting firms that audit publicly traded companies to keep related audit documents for no less than seven years after the completion of an audit. Violators can face up to $10 million in fines and 20 years in prison.
Similar to SOX legislation, HIPAA legislation focuses on protecting electronic personal health information. Data sanitization in HIPAA can be found in the Security Rule (Subpart C) in sections §164.306, Security standards; §164.308, Administrative safeguards; and §164.314, Organizational requirements.
Effective use of data sanitization techniques can minimize the chance of valuable data theft or compromise. Your organization can consider many options to permanently destroy data and media. With an official data sanitization policy in place, you can cost-effectively handle your data destruction requirements and remain compliant with relevant legislation.