data sanitization and disposal: best practices
TRANSCRIPT
Data Sanitization and
Disposal: Best Practices
Ed Pletner - CEO
Christian Lardie - IT Project Coordinator
Laws, Regulations, & Liabilities ●FACTA: Fair and Accurate Credit Transactions Act
●“any person who maintains or otherwise possesses
consumer information for a business purpose” must
properly destroy discarded information.
●“must properly dispose of such information by taking
reasonable measures to protect against unauthorized
access to or use of the information in connection with its
disposal.
●Civil Liability, Class Action, Federal Enforcement, State
Enforcement
●Others: HIPAA, HITECH, PCI DSS, Sarbanes-Oxley,
Graham-Leech-Bliley, etc.
Techniques for Data Destruction
• Shredding: Industrial Hard Drive
Shredding Machine (ex Ameri-shred)
• Degaussing: Magnetic data on a tape or
hard disk is neutralized or erased. Makes
media unusable and damages the
storage system
Techniques for Data Destruction • Wiping: Overwriting of data with 1s and 0s or non-
sensitive data
• Free Wiping Software: Ex. Dban, ActiveKillDisk
• Advantage: Free and easy to use
• Disadvantage: No validation of wipe
• Paid Wiping Software: Ex. Tabernus, WipeDrive
• Advantages: Error handling of failed drives,
Reporting/Logging of successful data erasure
• Disadvantage: Costs
Myths of Data Destruction
• A simple re-format/delete is adequate
• SSDs should be treated the same as Hard
Drives
• Hammer to hard drive
NIST Media Sanitization Guidelines
• NIST (National Institute of Standards and
Technology)
• Updated from older 3-Pass (DOD 5220.22-M)
• For ATA disk drives manufactured after 2001
(over 15 GB) clearing by overwriting the media
once is adequate to protect the media from
both keyboard and laboratory attack.
NIST Sanitization Methods
●Clear applies logical techniques to sanitize data in all user-addressable
storage locations for protection against simple non-invasive data recovery
techniques; typically applied through the standard Read and Write
commands to the storage device
● Ex. Software Wipe (1 or more Pass)
●Purge applies physical or logical techniques that render Target Data
recovery infeasible using state of the art laboratory techniques.
● Ex. ATA SecureErase; Cryptographic Erase, Degauss
●Destroy renders Target Data recovery infeasible using state of the art
laboratory techniques and results in the subsequent inability to use the
media for storage of data
● Ex. Shred, Incinerate, Pulverize
1. Manufacturer
2. Model
3. Serial Number
4. Media Type
5. Sanitization Description
(Clear, Purge, Destroy)
6. Method Used (degauss,
overwrite, block erase,
crypto erase, shred)
7. Verification Method
8. Signed & Dated
Documentation
CERTIFICATE OF DESTRUCTION THIS IS TO CERTIFY THAT ALL MATERIALS RECEIVED FROM THE BELOW LISTED CUSTOMER FOR
DESTRUCTION WERE DESTROYED AND WILL BE RECYCLED IN ACCORDANCE WITH ALL APPLICABLE FEDERAL, STATE, AND LOCAL REGULATIONS. WE FURTHER WARRANT THAT
REASONABLE PRECAUTIONS WERE TAKEN TO PREVENT ANY UNAUTHORIZED THIRD PARTY FROM GAINING ACCESS TO THE MATERIALS WHILE IN OUR POSSESSION TO FINAL DISPOSITION
Customer Location:
ABC Company
123 Street Dr.
San Diego, CA 92111
650 Gateway Center Way, Suite I
San Diego, CA 92102
858-715-0950
www.avritek.com
________________________Destruction Certified By Date
Generator Location:
ABC Company
123 Street Dr.
San Diego, CA 92111
Material Description(s): 100 Hard Drives Shredded/Wiped (see attached excel sheet for
Serials).
REFERENCE #:
PT-1244
Mobile Device Security
●Factory Reset
●Blackberry: Security Wipe
●Android: Encrypt then factory reset
●Apple (iPad & iPhone): Enable Data Protection then
“Erase All Content”
●Software Wipe via Tabernus or WipeDrive Mobile
●Reporting
●Utilizes the factory reset partition
●Shred