[ISN] NIST experts craft data removal handbook

InfoSec News isn at c4i.org
Wed Feb 8 03:19:51 EST 2006


By Joab Jackson
Contributing Staff Writer

Wonder no longer about how to remove sensitive data from the hard
drives and optical disks you are about to toss. The National Institute
of Standards and Technology has issued a set of draft guidelines on
how to safely remove information from obsolete forms of storage.

Matthew Scholl, Richard Kissel, Steven Skolochenko and Xing Li of the
NIST Information Technology Laboratory authored Special Publication
800-88 [1], "Guidelines for Media Sanitization: Recommendations of the
National Institute of Standards and Technology," which was sponsored
by the Homeland Security Department.

"When storage media are transferred, become obsolete or are no longer
usable or required by an information system, it is important to ensure
that residual magnetic, optical or electrical representation of data
that has been deleted is not easily recoverable," the guidelines

Although the publication summarizes the ways to remove data, it
emphasizes that a proper disposal methodology should not be based on
the type of storage being disposed, but rather on the confidentiality
of the material the medium contains.

The authors conclude that there are three general approaches to
excising data from various storage technologies:

Clearing: This approach usually involves overwriting the data with new
random data, or in cases of electronic devices, deleting existing
information and performing a manufacturer's hard reset (if one

Purging: This approach involves "degaussing" the medium, a procedure
that involves generating a magnetic field to neutralize the
magnetically encoded information. The report notes that the new Serial
ATA hard disk drives have a firmware-based Secure Erase command that
can purge information to the same degree of unrecoverability.

Destroying: The form of destruction depends on the type of media being
used. Shredding could work for paper, while pulverization, melting and
incineration (tasks usually outsourced) would be more appropriate for
hard disks or optical disks. Sanding off the physical recording
surface is another option.

The report also shows how to apply these approaches to various
technologies such as personal digital assistants, routers, copy
machines, hard drives and floppy disks.

NIST also urged organizations to establish enterprise governance
procedures for erasing material from old technologies.

"Ultimately, the head of the organization is responsible for ensuring
that adequate resources are applied to the program and for ensuring
program success," the report noted. "Senior management is responsible
for ensuring that the resources are allocated to correctly identify
types and locations of information and to ensure that resources are
allocated to properly sanitize the information."

[1] http://csrc.nist.gov/publications/drafts/DRAFT-sp800-88-Feb3_2006.pdf

More information about the ISN mailing list