Request for Technical Assistance
Provide technical assistance addressing media sanitization requirements.
When selecting the method and mechanism for media sanitization, consideration should first be given to the confidentiality of the information contained on that media, and second the media type. The security categorization of the confidentiality of the information along with the cost vs. benefit of a media sanitization process, and environmental factors such as type of media, size of media, and who has control of the media, help determine how to deal with sanitization and disposal of the media.
Since the taxpayer information required to be protected by Internal Revenue Code (IRC) Section 6103 and IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities, is deemed to have a moderate security categorization level for confidentiality, the moderate level should be used to drive decisions regarding media sanitization and disposal.
Media Sanitization Methods
There are four methods of media sanitization, each appropriate for different situations and each provide varying levels of protection for the confidentiality of the information contained on the media:
Type |
Description |
Disposal |
Discarding media without sanitizing. Appropriate if a loss of confidentiality of the information would have no impact on the organization. |
Clearing |
Protects confidentiality of information against keyboard attack. Overwriting is an acceptable method of clearing. |
Purging |
Protects confidentiality of information against laboratory attack. Executing the secure erase firmware command on a disk drive and degaussing are acceptable methods of purging. Degaussing is not effective for optical media (e.g., CDs, DVDs). |
Destroying |
Intent is to completely destroy the media. Can be accomplished using a variety of methods including disintegration, incineration, pulverizing, shredding and melting. Optical media (e.g., CDs, DVDs) must be destroyed by pulverizing, shredding or incineration. |
National Institute of Standards & Technology (NIST) Special Publication 800-88, Guidelines for Media Sanitization, provides the following guidance for media sanitization and disposition decision making for information that has a confidentiality security categorization of moderate:
If the media will be reused, and will be leaving organization control then purging should be selected as the sanitization method. If the media will be reused, and will not be leaving organization control then clearing is a sufficient method of sanitization. If the media will not be reused at all, then destroying is the method for media sanitization.
NIST provides the following guidance for sanitization on different types of removable media. The table below describes the NIST-recommended sanitization method for different media types and methods. Specific standards and approved products can be found in the NSA-approved product lists below.
Media Type |
Clear |
Purge |
Destroy |
Floppy Disks |
Overwrite |
Degauss using a NSA/CSS approved degausser |
Incinerate or shred |
ATA Hard Drives |
Overwrite |
Secure Erase, degauss, or disassemble and degauss the enclosed platters |
Disintegrate, pulverize, incinerate |
USB Removable Drives |
Overwrite |
Secure Erase, degauss using a NSA/CSS approved degausser, or disassemble and degauss the enclosed platters using a NSA/CSS approved degausser |
Disintegrate, pulverize, incinerate |
Zip Disks |
Overwrite |
Degauss using a NSA/CSS approved degausser |
Incinerate or shred |
SCSI Drives |
Overwrite |
Secure Erase, degauss using a NSA/CSS approved degausser, or disassemble and degauss the enclosed platters using a NSA/CSS approved degausser |
Disintegrate, pulverize, incinerate |
Magnetic Tapes |
Overwrite |
Degauss using a NSA/CSS approved degausser |
Incinerate or shred |
CDs/DVDs |
N/A |
N/A |
Optical disk grinding device, incinerate, shred.
Current acceptable particle size for shredded disk is nominal edge dimensions of 5 millimeters and surface area of 25 square millimeters. Any future disk media shredders obtained should reduce CD/DVD to surface area of .25 millimeters.
|
Verifying the success of the media sanitization and disposal process is an important step to perform to ensure information confidentiality is maintained. A representative sample of the sanitized media should be selected and tested for proper sanitization.
Documenting a record of media sanitization activities is an important part of the media sanitization and disposal process to ensure proper accountability and inventory control. The record of sanitization should list what media were sanitized, date of the sanitization, the sanitization method used, and the final disposition of the media.
Media Sanitization Standards
To identify specific approved products and standards to perform media sanitization, NIST encourages organizations to seek products they can evaluate on their own, use a trusted service or other Federal organizations’ evaluation.
References/Related Topics
|