Data is everywhere around us. Today, organizations are collecting and using more data than ever before to drive growth. Global data storage is predicted to grow from 59 zettabytes in 2020 to more than 200 zettabytes by 2025, with half of this data forecasted to be stored in the cloud (for reference, a zettabyte is 1 billion terabytes or 1 trillion gigabytes).
Along with rapid proliferation of data, organizations are also now dependent on complex and distributed data storage systems and more frequent hardware replacement events. These realities have created the need for frequent decommissions, refreshes and upgrades of tech assets.
Why is Data Sanitization and Disposition Policy Important?
Massive proliferation of data, complex data storage systems and system replacements make data systems sanitization and disposition planning an important requirement for businesses so they can protect their data, their clients and their reputation from unauthorized access.
What makes data sanitization disposition planning a complex process is that data storage systems are more distributed than ever. Data now spans multiple organizations, storage devices and storage media. The distributed system means potential risks exist throughout the data life-cycle in the shape of residual data on unsanitized media as data
So, how should organizations go about planning a secure end-of-life certified data destruction?
The Nation Institute of Standards & Technology (NIST) in its Special Publication 800-88 Revision 1 offers some steps to ensure a successful & secure data destruction plan.
1. Step 1: Understand your storage media ecosystem – In order to ensure a complete assessment of vulnerable data storage, “the initial system requirements should include hardware and software specifications as well as interconnections and data flow documents that will assist the system owner in identifying the types of media used in the system,” recommends the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-188, Revision 1.
Hardware and software specifications as well as data interconnections have important bearing on the type of data sanitization and disposition standards. Important factors to consider include:
-
- Understanding Complexity of Storage Systems – There are many layers in a storage system, including storage media and storage devices, which can complicate the data sanitization process. Sanitization of storage media follows a different protocol than sanitization of storage devices that are used to retrieve data. For instance, monitors, may have sensitive data “burned into the screen” (NIST SP 800-88 Rev 1) and may require a different sanitization procedure than sanitization of storage media. Therefore, understanding the storage system in your organization is an important first step in creating a sound data sanitization and disposition policy.
- Organizing Storage Media by Type – Types of storage media can have important implications for the correct sanitization method to be applied. For instance, magnetic storage media or Hard Disk Drives (HDDs) need to be sanitized and disposed of differently than a flash memory-based storage media. Similarly, there’s optical media, such as CDs and DVDs, where data is written and read with a laser. Data sanitization of optical media usually involves removal of data bearing layers, and then incinerating or shredding the device. Having a clear organization of data bearing media and involved storage devices will help you plan for recommended sanitization protocols.
- Cataloging Storage Media Details – Along with rapid technological advances in storage media, the sanitization technology is also evolving. It’s important to deploy the right sanitization standards for storage media from a compliance perspective. For instance, the current degaussing technology, that demagnetizes platters that store data in HDDs, is not effective on emerging solid state disks media. Similarly, if you have encrypted data stored on your systems, an emerging sanitization method, such as Cryptographic Erase (CE), may be a preferred method.
- Mapping interconnections – Media flows in and out of organizational control through data migration projects, out to vendors for equipment repairs, and hot swapped into other systems in response to hardware or software failures. This potential vulnerability can be mitigated through proper understanding of how data is interconnected across owned, leased and retired media, so sanitization and decommissioning of one does not impact the uptime of other systems.
2. Understand the risk hierarchy of storage systems – The NIST SP 800-88 Rev 1 advises that organizations map out their storage systems according to the level of concern about data breach rather than according to the probability of unauthorized access. A good reference source for proper organization by risk hierarchy is the Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems.
Generally speaking, the risk categorization should be recorded as follows:
-
- The level of impact is considered low if the loss of confidentiality, integrity (without modifications or destruction of information), and availability of data systems could result in a limited adverse effect on the organization.
- The level of impact is considered moderate if the loss of confidentiality, integrity, and availability of data could result in a serious adverse effect on the organization.
- The level of impact is considered high if the loss of confidentiality, integrity, and availability of data could result in a severe or catastrophic effect on the organization.
As an example, SC contract information = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)} indicates that the security categorization of contract information would have moderate impact on the organization due to loss of confidentiality, moderate impact on the organization due to loss of integrity, and low impact on the organization due to loss of availability.
Categorizing data systems by risk hierarchy will allow you to develop more stringent sanitization for high impact systems.
3. Define Data Disposition Policies According to Risk Hierarchy, Life Cycle and Storage Media Type – The sanitization and disposition paths for storage media & devices follow different paths based on risk to the organization from loss of confidentiality, integrity, and availability. The life cycle of storage systems, especially whether it is to be reused (internally or externally), recycled or returned also has important implications on the appropriate data sanitization policies. Finally, the type of storage system guides the selection of the most appropriate data sanitization method.
As an example, data on magnetic storage media (storage media type) with a high risk security categorization (risk hierarchy), if reused internally within the organization (lifecycle stage), should be sanitized using overwrite methods. If the same data on the magnetic storage media is leaving the organization, it should be destroyed.
4. Obtain Certification of Disposition – In most cases, organizations will incur substantial opportunity costs in moving their internal IT staff to oversee and implement a decommissioning project on their own. There are countless details and too many potential opportunities for failure for IT departments that do not have experience with these types of projects. Therefore, it is best to work with a trusted partner who has experience completing similar decommissioning projects.
When you partner with a vendor to provide data sanitization scope of work, ensure that the company is process-driven and provides clear documentation, records, and chain of custody. The NIST SP 800-88 recommends that a certificate of media disposition should be provided for each piece of media that has been sanitized and must include the following:
-
- Manufacturer
- Model
- Serial Number
- Organizationally Assigned Media or Property Number (if applicable)
- Media Type (i.e., magnetic, flash memory, hybrid, etc.)
- Media Source (i.e., user or computer the media came from)
- Pre-Sanitization Confidentiality Categorization (optional)
- Sanitization Description (i.e., Clear, Purge, Destroy)
- Method Used (i.e., degauss, overwrite, block erase, crypto erase, etc.)
- Tool Used (including version)
- Verification Method (i.e., full, quick sampling, etc.)
- Post-Sanitization Confidentiality Categorization (optional)
- Post-Sanitization Destination (if known)
- For Both Sanitization and Verification:
- Name of Person
- Position/Title of Person
- Date o Location
- Phone or Other Contact Information
- Signature
5. Ensure verification and ongoing quality assurance – The final step to planning secure data sanitization and disposition requires verification of all equipment sanitized (when available), followed by a representative sampling verification. As part of the verification process, NIST SP 800-88 Rev 1 recommends:
-
- Verification of Equipment – This should include equipment calibration, testing and scheduled maintenance information.
- Verification of Personnel Competencies – As the name indicates, organizations should ensure that personnel in charge (in-house or outsourced) should have the competencies to perform data sanitization functions. When outsourcing, enterprises must carefully scrutinize vendor credentials and certifications such as NAID AAA, insurance coverage, data breach notification policies, and the scope of the contract.
- Verification of Results – If conducting a full verification of all sanitized equipment, a full reading of all accessible areas should be done to ensure sanitized values are present in all addressable locations. If verification is conducted via a representative sampling, ensure that random locations are selected across the addressable space on the storage media and verifications are done to check for the presence of sanitized values.
Conclusion
The steps outlined above should help you develop, execute and validate appropriate data sanitization and disposition procedures. If you don’t have a policy in place, look for a data sanitization and disposition vendor that can help create you a compliant policy.
Sources:
- NIST Special Publication 800-88 Revision 1: Guidelines for Media Sanitization
- FIPS PUB 199: Standards for Security Categorization of Federal Information and Information Systems
- 5 Data Destruction Tips from NIST 800-88
- Difference between a storage medium and a storage device
- A Guide to Types of Sensitive Information
- iSIGMA Guidelines Book (also includes data on GDPR)
About the Author
Sphaera (Greek – Sphere) is a trusted IT services partner that provides full lifecycle IT management to network service providers, enterprise data centers, and Fortune 2000 enterprises. With proven experience and expertise from design to decommission, Sphaera owns the complexity and risk when building & managing mission critical IT infrastructure and helps companies deploy critical wireless and IT infrastructure, enhance performance, align technologies with the needs of their business, and elevate the strength of internal IT departments to ensure technology is an enabler of business performance.
Sphaera is strategically headquartered in Hillsboro, OR, with major delivery hubs in the San Francisco Bay Area, Chicago, Atlanta, New York, Las Vegas, the “Texas Triangle”, and the Northern Virginia locales.
