Article source: https://linkgeanie.com/technology/how-to-securely-sanitize-and-destroy-electronic-storage-media
Protecting personally identifying information, financial records, health records, intellectual property and even National Security Information online via network firewalls and virus detection gets all the attention, however, perhaps the most dangerous source of sensitive information is remnant data contained on retired electronic storage media. While it is important to secure the networks that provide access to your data, it is equally important to safely and securely dispose of a storage device.
As businesses contend with the reality of the shorter technology lifecycles, more frequent hardware replacement events, and exponential increase in stored data as well as relocate data center, disks, IoT and edge devices, and stricter data security and information privacy regulations, the need for safe and secure IT equipment disposition has become more critical.
Trends Toward Secure Disposition of Electronic Media
While there is greater awareness of the need for proper storage media sanitization and disposal, there is mismatch between intent and implementation.
A report found that while the majority (96%) of organizations has a data sanitization policy in place, there is a large gap between policy and reality. Only 44% of those respondents feel that their organization’s data sanitization policy is fully in place and has been communicated across the entire business.
Another study by the National Association for Information Destruction (NAID) found that 40 percent of devices resold in regular commerce channels contained PII that was relatively easy to access.
One of the factors that has led to this dismal reality is that many organizations plan for proper disposal of sensitive or personal identifiable information on hard drives, but fewer organizations consider all the other data and devices that pose a significant risk.
Let’s take a look at what constitutes electronic storage media and where can this media reside.
What is electronic storage media?
Electronic storage media is any user configurable device that can store electronic data. Examples of storage media include internal or external hard disks, flash memory cards and drives, CD, DVDs etc. A storage media can reside in a computer. It can also be found in the form of flash random access memory (RAM) chips in switches, routers, firewalls, printers and many other devices. For a full list of devices, please refer to Appendix A of the NIST SP 800-88, Rev 1.
Essentially, any retired storage media, i.e., any user configurable device that can store long term data on any electronic device that needs to be repurposed, returned or recycled should be properly disposed of or restored to factory default configuration to ensure data safety.
How to dispose of electronic storage media safely?
The National Information of Standards and Technology Special Publication 800-88 Rev 1 (NIST SP 800-88 R1) outlines basic procedures to follow to develop sound storage media disposition policies. Among them are understanding your storage media ecosystem, understanding the confidentiality and risk hierarchy, defining data disposition policies according to storage media type, utilizing appropriate data disposition methods, obtaining certification of disposition, and ensuring ongoing quality assurance.
Let us focus on appropriate data disposition methods by need and medi type.
The Federal Bureau of Investigation (FBI) outlines three general methods for safe disposition of electronic storage media (also referred to as “Clean, Purge and Destroy” by the NIST SP 800-88 Rev 1):
1. Overwriting (at least 3 times) - Instead of simply deleting data from the drive (which is not considered fool proof as deleted data retrieved from the device by file recovery utilities), it is strongly recommended to overwrite the stored data with binary digits. This is considered an effective method of clearing data from magnetic media. This method uses a program to overwrite stored data with 1s, 0s, or a combination of both.
2. Degaussing - This is a method to magnetically erase data from magnetic media (primarily hard disk drives or HDDs) by exposing magnetic drives to strong magnetic fields. Both strong magnets and electric degaussing methods exist. Your IT disposition partner will be able to suggest the most effective methods for degaussing your HDDs.
3. Destruction – This is considered an ultimate method of preventing someone from retrieving your information. Differences exist in how different types of electronic storage media are destroyed.
- Solid State Disk (SSDs) that use flash memory chips are usually pierced and deformed to render them useless. To add an extra layer of security, the SSDs are shredded into 10mm (3/8”) particle sizes in compliance with the NIST SP 800-88, Rev. 1 standards.
- Hard Drive Disks (HDDs) are set up for degaussing to demagnetize the magnetic rotational drives. They are then passed through high-capacity shredders that deform and shred them into 30mm average particles.
If you are considering reuse, resale or returning of storage devices, destruction is not an option. In those cases, overwriting is the preferable method that uses data sanitization programs to overwrite the stored data.
Conclusion
Today’s enterprises are collecting, storing, and using more data than ever before. A 2022 IDG Research survey found that, on average, data volumes are growing by 63 percent per month across organizations.
No matter the size of the enterprise, the threat of data leaks and breaches of sensitive information are among the top priorities for senior executives. A single data breach can have serious and long-term consequences, especially if Personally Identifiable Information (PII) is involved.
Recently, Morgan Stanley agreed to pay $60 million to settle a claim that it failed to safeguard PII when decommissioning data center equipment in 2016 and 2019. This is not an isolated incident. Recently, a community health center in Massachusetts came under intense scrutiny when improper data destruction compromised more than 100,000 protected health information (PHI) of customers.
Making sure that you follow steps to create a breach-proof electronic storage media disposition policy is just a start. It is as important, if not more, to make sure your ITAD vendor is sophisticated and experienced enough to undertake proper disposition of all IT assets whether for reuse or permanent destruction.
About the Author
Sphaera (Greek – Sphere) is a trusted IT services partner that provides full lifecycle IT management to network service provider’s data center infrastructure services, and Fortune 2000 enterprises. With proven experience and expertise from design to decommission, Sphaera owns the complexity and risk when building & managing mission critical IT infrastructure and helps companies deploy critical wireless and IT infrastructure, enhance performance, align technologies with the needs of their business, and elevate the strength of internal IT departments to ensure technology is an enabler of business performance.
Sphaera is strategically headquartered in Hillsboro, OR, with major delivery hubs in the San Francisco Bay Area, Chicago, Atlanta, New York, Las Vegas, the “Texas Triangle”, and the Northern Virginia locales.
