Data Sanitization is defined as the process of removing all information from a device in a way that data recovery is not possible.
This guide will cover the following:
- Data Sanitization Standards
- Data Sanitization Regulations
- Data Sanitization Guidelines
- How to choose a Data Sanitization Standard?
Top Data Sanitization Standards
If you are consuming packaged food, you’d expect it to adhere to food safety standards, right?
Like so, data sanitization standards are the minimum expected quality levels that a data sanitization method must meet. The standards provide guidance on how to go about destroying data effectively. The guideline is drawn based on factors like the type of storage device and the sensitivity of the data.
Here are the top data sanitization standards in effect worldwide:
1. NIST SP 800:88
This standard details three methods of data sanitization. These methods let you destroy data on magnetic, flash, and optical media and span devices.
a. Purge
Purging uses techniques like Block Erase, and Cryptographic Erase. The Purge standard is effective to destroy data on magnetic, flash, hard drives etc.
The Block Erasing technique is used for SSD devices. It involves the use of vendor-unique commands to increase the voltage on the memory blocks of the SSD. Once the voltage reaches maximum, it is dropped to zero, which erases the data.
Cryptographic Erasure erases the media encryption keys of Self-encrypting Devices (SED). This makes it impossible to decrypt the keys, making the data unreadable.
b. Clear
This method involves replacing data with non-sensitive data by overwriting. Overwriting is done by overlaying a pattern of pseudorandom binary code on top of the existing code. The new binary code replaces the data, thus effectively destroying data.
Factory resetting is also an accepted data sanitization method under the Clear standard. But it only offers protection against non-invasive data recovery techniques that don’t involve head swaps or internal electronic replacement.
c. Destroy
This method employs physical techniques like shredding, disintegration, incineration, or degaussing to destroy data. You cannot verify whether the data is destroyed after physically destroying the device.
For effective data sanitization, you may use a NIST SP 800:88-compliant software like BitRaser. This allows you to sanitise storage devices in-house.
2. DoD 5220.22-M
DoD 5220.22-M defines a specific set of procedures for erasing data from devices. It uses specific binary patterns and random bit patterns to erase data. It follows a three-pass overwriting procedure.
The following table compares the scope and efficiency of DoD 5220.22-M and NIST SP 800:88:
DoD 5220.22-M | NIST SP 800:88 | |
---|---|---|
Overwriting Passes Required | 3 or 7 | 1 |
Last Updated Year | 2021 | 2014 |
Sector Created For | Government | All Organizations |
Device(s) Effective For | HDD | All Data Storage Devices |
Is it Verifiable? | Yes (only for HDD) | Yes |
BitRaser is compliant with DoD standard data sanitization. So you can use the software to safely destroy data from your device.
3. HMG Infosec Standard 5
This data destruction standard is used by the British government. HMG Infosec Standard 5 is a part of the IT security standards published by the Communications-Electronics Security Group (CESG).
IS5 defines a set of policies that organisations must follow to ensure the safe disposal of data. The guidelines for this media sanitization standard work on the premise of overwriting the storage media thrice. It uses zeros, ones, or a set of random binary to overwrite the storage device. IS5 follows destructive, non-destructive, and a combination of the two methods.
These are the situations in which the methods are used:
- Non-destructive methods are used in the case of secret HDD if they will be re-used within the organisation’s official environment.
- Destructive data sanitization is used for top-secret flash drives if they will be re-used either within or outside the organisation.
- The combined methods are used for top-secret HDDs that will be re-used in any environment within or outside the organisation.
4. RCMP TSSIT OPS-II
The RCMP TSSIT OPS-II combines various methods of data sanitization. This includes overwriting with just zeros, random binaries, Secure Erase, and Gutmann methods.
The RCMP TSSIT OPS-II defines various data sanitization guidelines for different devices:
Type of Device Aimed At | Destruction Technique Used | |
---|---|---|
Magnetic Memory | Magnetic core memory devices | Overwriting, Physical Destruction |
Removable Magnetic Media | Tapes, cartridges, and disks | Tape degausser or bulk eraser |
Non-removable Magnetic Media | Disks and disk packs | Overwriting |
Optical Media | Disks and CD-ROMS | Physical destruction |
5. Other Global Standards of Data Destruction
This list includes some of the other data sanitization standards followed worldwide:
- NCSC-TG-025
- Schneier Method
- Pfitzner Method
- GOST R 50739-95
- VSITR Method
Data Sanitization Regulations
For proper functioning, every process needs a rule. When it comes to data sanitization, every country has a law that governs organizations within. These are caled data sanitization regulations.
The following are some of the data sanitization regulations in effect around the world:
- EU General Data Protection Regulation (EU GDPR)
This is considered the toughest data sanitization regulation in the world. The GDPR was passed by the European Union (EU). But it applies to all organizations collecting or sending data to the EU.
- Sarbanes Oxley
This law was passed by the U.S. Congress in 2002. It is meant to protect investors from fraudulent reporting by organizations.
- PCI DSS V3.2
This is another law meant to protect entities from financial fraud. It protects cardholders’ data held by merchants.
- Gramm–Leach–Bliley Act (GLBA)
This is a law imposed on institutions that offer financial services like loans or insurance. The regulation states that they must explain their information sharing practices to their customers.
- ISO 27000
This is an international standard that gives an overview of information security management systems.
- Philippines Data Privacy Act 2012
This act protects a person’s fundamental right to privacy. It simultaneously ensures the free flow of information.
- HIPAA Security Rule
The HIPAA law protects the medical information of all those residing in the U.S. It specifically protects electronic personal information.
- New York State Cybersecurity Requirements of Financial Services Companies 23 NYCRR 500
This regulation is enforced on all financial institutions. It requires the institutions to implement a detailed cybersecurity framework.
- Singapore Personal Data Protection Act 2012
This act governs the collection, use, and disposal of all personal data.
- R2:2013
This regulation imposes responsible recycling practices of storage devices once the data is destroyed.
- NERC-CIP
This regulates, enforces, manages, and monitors Buld Electric Systems in North America.
- Japan Personal Information Protection Act (the “PIPA” Act. No 57 of 2003)
This law protects the rights and interest of person user data in Japan.
Data Sanitization Guidelines
Certain guidelines dictate when data should be sanitised. This depends on the type of industry and information that needs sanitization.
The following are the recommended guidelines for when and how data must be sanitised:
- All paper or electronic storage devices must be sanitised when the information they hold is no longer necessary for business use.
- All electronic storage devices must be sanitised before it is sold, donated, or the ownership is transferred.
- The best method of data sanitization, pertaining to the type of device, must be used. Some popular methods for electronic storage devices include cross shredding, cryptographic erasure, or physical destruction.
- Must ensure there is a reduced security risk if the storage device is transported to a secondary location for data sanitization.
- Proper verification of sanitization must be followed. Often, a certification document is issued to assure data sanitization.
How to Select the Best Data Sanitization Standards?
You should consider the following criteria when choosing a sanitization method for your organisation.
1. Scope of Sanitization Standard
If one sanitization standard could be used for many types of storage devices, then it’s recommended that you choose that. NIST is a reliable data sanitization standard that is recommended by the US federal government. Our software, BitRaser, is NIST 800-88 tested and approved. So you can carry out NIST-compliant data destruction from the convenience of your organisation.
2. Efficiency and Effectiveness
The time taken for data sanitization must be considered if your organisation handles a high volume of data. NIST 800-88 is effective with one overwriting pass. But DoD 5220.22 requires up to 7 overwriting passes. But since verification happens with each pass in DoD, it is a more effective method. Everything considered, NIST 800-88 is the most globally preferred standard of data destruction. It provides the highest level of data protection.