This page contains a Flash digital edition of a book.
Out with the Old: But Where Should

Your Data Go? Addressing Data Sanitization Standards and Regulations WRITTEN BY PAUL KIRVAN


S part of your data storage and retention activities, there will be times when you need to

completely remove data from storage media. There will also be times when it makes sense to destroy the media on which data is stored. Data sanitization is the process of

totally and irreversibly destroying data stored on a storage device. Among the media devices that can be sanitized are magnetic disks, flash memory devices, CDs, and DVDs. If the device has been

properly sanitized, there should be no usable residual data, and even advanced forensic tools won’t be able to recover any data. Techniques for sanitization include specialized software that erases data, specialized devices that connect to the storage media and erase the data, and a process that physically destroys the media so data cannot be recovered from the storage device. In this tip, we’ll examine how current legislation, regulations, and standards address this issue.

18 WWW.PCCONNECTION.COM 1.800.800.0014

Standards and Practices Resources • ARMA International ( has a book called Contracted Destruction for Records and Information Media that provides guidance on how to obtain data and media destruction services. It can be used by users and data destruction vendors alike. • NIST Special Publication 800-88, Guidelines for Media Sanitization, September 2006. This standard, produced by the National Institute for Standards and Technology, provides detailed guidance on sanitizing data storage media. It supports key provisions of another widely used NIST standard, SP 800-53, Recommended Security Controls for Federal Information Systems. • US Department of Defense (DoD) 5220.22-M: National Industrial Security Program Operating Manual (NISPOM) provides baseline standards for the protection of classified information released or disclosed in connection with classified contracts under the National Industrial Security Program (NISP). Its guidelines include data sanitization; however, standards for sanitization are left up to individual Cognizant Security Authorities (who provide oversight on all aspects of security program management) within defense and intelligence community agencies.

Establish a Policy Start by establishing a data destruction policy to complement your data retention policy. Data retention policies and procedures are specific requirements in many current U.S. laws, such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). While data destruction is not specifically addressed in these and other laws, a data destruction policy ensures that devices and media no longer being used have their contents securely removed, destroyed, or overwritten, making it extremely difficult or impossible to later retrieve valuable data. Having a data destruction policy also reduces the likelihood of a data and/or privacy breach, thereby reducing the liability your organization could face as a result.

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36