What are Current Data Destruction Standards?
The secure disposal of sensitive electronic information is a serious concern for virtually every modern business or organization, but the means of doing so is anything but universal. There are no less than 20 different data destruction standards for using software to wipe hard drives and other memory devices, and different recommended physical destruction methods with NIST approved shredders.
While these data destruction standards are intended to define the best practices for destroying data, the fact that there are so many can make it difficult for end-users to parse. Please take a look at some of the most common benchmarks, see how they differ, and learn which standard is right for your organization.
NIST 800-88 and DoD 5220.22-M: The Most Popular Standards
The National Institute for Standards and Technology (NIST) 800-88 is widely recognized as the current industry standard in the United States. It is one of the two standards we use at CompuCycle for secure data destruction. The NIST 800-88 outlines four different types of data sanitization:
- Disposal: Simply discarding paper documents or other media with non-confidential information.
- Clearing: Rendering electronic data unreadable and irretrievable, as in data overwriting. Note that just hitting the delete key does not meet this standard.
- Purging: Protecting data from a “laboratory attack” or highly skilled data thieves. For most ATA drives (also known as IDE drives) manufactured since 2001, clearing is equivalent to purging. However, for other types of magnetic media and older media, using a magnetic field to sanitize the data through a process called degaussing is necessary, or running a Secure Erase command on ATA drives.
- Destroying: Physical destruction, “the ultimate form of sanitization.” Processes include disintegration, pulverizing, incineration, melting, and shredding.
For well over a decade, DoD 5220.22-M was a widely used data erasure method derived from an operating manual published by the National Industrial Security Program (NISP). Many IT asset disposition companies still reference it today, although it’s outdated and no longer used by the Department of Defense and other government agencies.
In fact, the idea that DoD 5220.22-M was intended and used as an industry standard for data erasure is a myth. It was never created for this purpose. NIST 800-88 is the current industry benchmark.
Other Data Destruction Standard Options
Some other data destruction standards you may come across with certain providers or in certain geographic regions include:
- HMG Infosec Standard 5: Like the DoD 5220.22-M, the IS5 (or “CESG standard”) is the British government standard that calls for either degaussing, a one-pass or three-pass overwrite or physical destruction. Secure Erase–a popular method of using firmware found on SATA- or PATA-type drives–is not approved.
- BSI-GS: Used by the German Federal Office for Information Security, this protocol features one overwriting pass with random data after removing hidden drives.
- Air Force System Security Instruction 8580: The latest Air Force standard requires two pseudo-random overwrites, followed by an overwrite with a set pattern of ones and zeros. At least 1% of the final overwritten data must be visually inspected to guarantee overwriting success.
- Navy Staff Office Publication (NAVSO P-5239-26): Also a three-pass standard, the Navy uses two predetermined characters than a random character and verifies them at the end of the process.
These are just a few of the standards in use today. When using data destruction software, you may also see options for terms like “Gutmann method” or “PRNG” (pseudo-random number generator). These are not so many standards as they are overwriting methods that differ in the number of passes or the exact characters used in the process.
Standards for Physical Destruction
Sensitive data doesn’t just mean “soft copy,” or electronic data; hard copy is an equally vital area of data that you can’t overlook. Fortunately, the standards are more homogenous because the results are more easily verifiable.
Paper documents are an obvious example of a hard copy. Still, PVC printers, which are commonly used to print employee badges, routinely leave virtual mirror images of whatever is being printed on the printer ribbon, which is often discarded intact by unsuspecting users. Electronic data devices that are damaged or otherwise unable to function enough to be wiped by software likewise need to be manually destroyed for full protection.
The gold standards for physical destruction come from the National Security Agency (NSA), which makes the public its own guidelines for destruction of media devices that contain up to “Top Secret” information. For example, the NSA’s recommendation for paper shredders is document shards of no more than 1 millimetre by 5 millimetres. For hard disk drives and other electronic devices, the Agency specifies 2 – 5 millimetres in edge length when shredding, or materials reduced to ash when incinerating.
For a complete list of NSA-approved storage device sanitization equipment, visit www.nsa.gov/resources/everyone/media-destruction/.
Which Data Sanitization Standard is Right for You?
Choosing the best data destruction standards involves considering variables such as:
- the degree of security you need
- your industry requirements
- whether you wish to reuse the devices
- your resources regarding time and cost
You would want to combine a data erasure standard for the highest level of protection such as NIST 800-88 with physical destruction. This way, even if your devices are solid-state drives (SSDs), which store information in tiny amounts of physical space that a non-NIST approved shredder might miss, you still have the added security of the data already having been overwritten.
Many industries have special laws and regulations that govern how citizens’ personal data is handled, but guidance is often vague. For example, the U.S. Department of Health and Human Services (HHS) requires healthcare providers to undertake “appropriate” steps to safeguard protected health information (PHI) on electronic media as part of its Health Insurance Portability and Accountability Act (HIPAA) regulations.
The HHS refers practitioners to NIST SP 800-88, for a good reason. Meeting the 800-88 standard is the best way to ensure you’re doing your due diligence related to governmental compliance in all corporate environments, which is why we use it here at CompuCycle.
How to Achieve Your Desired Data Destruction Standard
A professional data sanitization company like CompuCycle can sanitize your devices to any level you specify and provide an inventory report and either a Certificate of Data Sanitization or a Certificate of Data Destruction (depending on the sanitization method used) upon completion, for regulatory compliance purposes. The work will be done by “personnel without a stake in any part of the process,” an important guideline from NIST 800-88. After physical destruction, using a trusted vendor is the safest approach for data disposal.
However, there are free programs that can help you render your data unrecoverable at a set standard, such as DBAN, an open-source data wiping tool. While the program offers six different data destruction standards, it can’t erase SSDs, offers no tech support, and is only recommended for home use. Other free DIY programs that give you options on your sanitization method include Securely File Shredder, Freeraser, and Bitkiller.