|
|
Disk Sanitization
It's a wise precaution to remove sensitive data from computer disks
before the disks are either transferred from one area to another
or discarded. The process is referred to as disk sanitizing, cleaning,
purging, or wiping. The method you choose to sanitize a disk should
depend on the security requirements of your organization.
Removing a file actually only removes the pointer to the file.
Common utilities can often recover deleted files, so the data may
still be recoverable. Three techniques available for disk sanitization
are:
- overwriting
- degaussing
- destruction
Overwriting a disk by using the format command is usually enough
for most purposes, because it greatly reduces the chance that any
data can be recovered from the disk. However, any data that remains
can potentially be accessed by someone with enough expertise, determination,
or money. To ensure that no one could ever recover data from a disk,
you need to degauss or destroy it or keep it in a secure location
until the disk is needed again.
Special Publication 800-88, "Guidelines for Media Sanitization" (PDF) 
This guide from the National Institute of Standards and Technology (NIST) is intended to assist organizations and system owners in making practical sanitization decisions based on the level of sensitivity of their information. It does not specifically address all known types of media, however, the described draft sanitization decision process can be applied universally to all forms of media and categorizations of information.
Destroying Data the DOD Way: Military Standards Help Ensure Compliance for Electronic Data Security by Angie Singer Keating, Journal of AHIMA, July – August 2005
One of the most efficient and effective ways to sanitize or physically destroy computer hard drives is to follow the stringent standards established by the US Department of Defense (DOD). This article compares digital sanitation and physical destruction and helps you determine which method is best for your organization.
Secure Removal of Protected Health
Information whitepaper by Steve Hardwick, Infraworks, April
29, 2003
Ultimate
Data Destruction: Software Tools by Patrick Norton, David
Prager, and Roman Loyola, TechTV, February 20, 2003
If you don't want to physically destroy the hard drive, there are
several software tools you can use to wipe out your data. They do
a lot better job that a simple reformat.
"Sanitization
of Information Technology Equipment and Electronic Media" Policy
from the KY Governor’s Office of Technology
"Remembrance
of Data Passed: A Study of Disk Sanitization Practices"
Department of Defense
Clearing and Sanitization Matrix
(DOD 5220.22-M)
from the January 1995 National Industrial
Security Program Operating Manual
|
Media
|
Clear
|
Sanitize
|
|
Magnetic Tape1
|
|
|
| Type I |
a or b |
a, b, or m |
| Type II |
a or b |
b or m |
| Type III |
a or b |
m |
| Magnetic Disk |
|
|
| Bernoullis |
a or c |
m |
| Floppies |
a or c |
m |
| Non-Removable Rigid Disk |
c |
a, d, or m |
| Removable Rigid Disk |
a or c |
a, d, or m |
| Optical Disk |
|
|
| Read Many, Write Many |
c |
m |
| Read Only |
|
m, n |
| Write Once, Read Many (Worm) |
|
m, n |
|
Memory
|
|
|
| Dynamic Random Access memory (DRAM) |
c or g |
c, g, or m |
| Electronically Alterable PROM (EAPROM) |
i |
j or m |
| Electronically Erasabel PROM (EEPROM) |
i |
h or m |
| Erasable Programmable (ROM (EPROM) |
k |
l, then c, or m |
| Flash EPROM (FEPROM) |
i |
c then i, or m |
| Programmable ROM (PROM) |
c |
m |
| Magnetic Bubble Memory |
c |
a, b, c,
or m |
| Magnetic Core Memory |
c |
a, b, e,
or m |
| Magnetic Plated Wire |
c |
c and f, or m |
| Magnetic Resistive Memory |
c |
m |
| Nonvolatile RAM (NOVRAM) |
c or g |
c, g, or m |
| Read Only Memory ROM |
|
m |
| Static Random Access Memory (SRAM) |
c or g |
c and f, g,
or m |
| Equipment |
|
|
| Cathode Ray Tube (CRT) |
g |
q |
| Printers |
|
|
| Impact |
g |
p then g |
| Laser |
g |
o then g |
Clearing and Sanitization Matrix
a. Degauss with Type I, II, or III
degausser.
b. Degauss with same Type (I, II,
or III) degausser.
c. Overwrite all addressable locations
with a single character.
d. Overwrite all addressable locations
with a character, its complement, then a random character
and verify. THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA
THAT CONTAINS TOP SECRET INFORMATION.
e. Overwrite all addressable locations
with a character, its complement, then a random character.
f. Each overwrite must reside in memory
for a period longer than the classified data resided.
g. Remove all power to include battery
power.
h. Overwrite all locations with a
random pattern, then with binary zeros, and finally with binary
ones.
i. Perform a full chip erase as per
manufacturer's data sheets.
j. Perform i above, then c above,
a total of three times.
k. Perform an ultraviolet erase according
to manufacturer's recommendation.
l. Perform k above, but increase time
by a factor of three.
m. Destroy - Disintegrate, incinerate,
pulverize, shred, or melt.
n. Destruction required only if classified
information is contained.
o. Run one page (font test acceptable)
when print cycle not completed (e.g. paper jam or power failure).
Dispose of output as unclassified if visual examination does
not reveal any classified information.
p. Ribbons must be destroyed. Platens
must be cleaned.
q. Inspect and/or test screen surface
for evidence of burned-in information. If present, the screen
must be destroyed.
NOTE: As of 22 April, 2002 shredding of IA products is not
authorized.
|
|
 |
 |
