What is Media Sanitization?

How Media Sanitization Works

NIST media sanitization guidelines provide a simplified framework of how to erase data from storage devices. The principles fall under the categories of clear, purge, and destroy. The government developed these guidelines and media sanitization software companies widely adopt them to sanitize media while protecting sensitive information from leaking to unauthorized parties.

With today’s sophisticated access controls and encryption mechanisms, the likelihood that unauthorized third parties can gain direct access to sensitive information has been severely reduced. So for hackers, cybercriminals, or identity thieves looking to acquire valuable data, the best alternative is to attempt to retrieve residual information on storage media that have left an organization without being properly treated to render anything remaining on them unusable.

This information may be on paper, optical, electronic, or magnetic media — and to protect it from these data retrieval attempts, it and the storage devices holding it must be sanitized.

What is Media Sanitization?

According to the National Institute for Standards and Technology (NIST), media sanitization means “a process that renders access to target data on the media infeasible for a given level of effort.” More specifically, these are media sanitization methods that irreversibly remove data from storage media or permanently destroy the storage medium. NIST 800 88 media sanitization principles specify three categories of data destruction: clear, purge, and destroy, whereas NIST 800 53 media sanitization recommends companies assign two or more individuals to oversee the sanitization process. This requirement reduces cases of errors and ensures the sanitization process is done as intended.

Devices compatible with media sanitization NIST categories include Solid-State Drives (SSDs), hard drives with magnetic disks, flash memory devices, old-school floppy disks, magnetic tape drives, CDs, and DVDs. The common standard applied in media sanitization software is the DoD media sanitization method, which erases data by overwriting hard disk drives and solid-state drives in three passes while verifying each pass to ensure data is destroyed effectively.

Different forms of storage device require different methods of sanitization. Still, all have one thing in common: Once a device has been properly sanitized, there shouldn’t be any residue of usable data on it, and even advanced forensic tools should be unable to recover any information from the storage medium.

IT Equipment Disposal​
ITAD Checklist

Make an Informed Decision

Download the CHecklist

Why Media Sanitization is Important

Information protection is a top priority in today’s economy, whether intellectual property, customer records, financial data, sensitive personal details, or electronic health data. Unfortunately, these information commodities are a valuable target for hackers and saboteurs, and any leakage or disclosure of them can have severe consequences for the individuals or organizations involved. Lost revenue, lost public trust, damage to reputations and brand images, or the legal and financial penalties of regulatory compliance breaches are just some of the possible results of information falling into the wrong hands.

When an organization is retiring old hardware and infrastructure, they may choose to dispose of equipment and storage media by charitable donation, internal or external transfers within the enterprise, or by recycling in accordance with relevant laws and guidelines. However, regardless of its final destination, the equipment must be reduced to a state where it’s impossible to reconstruct any residual information on its storage media.

Even in the course of normal business, media sanitization is a necessity. For example, organizations routinely have to archive or destroy backup data once its expiration date has passed, following corporate data retention policies and any conditions imposed by industry regulations or regulatory compliance frameworks.

Sanitization also factors into cloud or off-site data storage scenarios. For example, if you routinely back up data to an off-premises data centre or cloud service, when that information becomes due for expiration, responsibility for sanitizing the storage media rests with your remote IT managers or the cloud storage vendor. And you’ll need to take extra precautions to ensure that this information has indeed been scrubbed and that all media sanitization procedures have been properly documented.

Categories of Media Sanitization

The National Institute of Standards and Technology or NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization, gives detailed guidelines for data sanitization and how to sanitize a hard drive. These recommendations are based on the various ways in which organizations categorize information for data confidentiality and are in line with another widely used NIST standard, SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations.

Several techniques are commonly used for secure hard drive disposal, hard drive destruction, and the proper sanitization of electronic storage media. They include:

See how much your IT equipment is worth

See My ROI

Media Sanitization Guidelines

NIST media sanitization guidelines provide legally and globally recognized principles for businesses to apply in their media sanitization processes. These measures also protect data from unauthorized access by giving clear methods to ensure data is erased completely and cannot be recovered. NIST guidelines for media sanitization apply to flash, magnetic, and any other type of storage devices.

NIST sp 800 88 guidelines for media sanitization outlines three ways to erase data effectively:

Clear

this method provides moderate protection by erasing data from all user storage devices using logical techniques such as factory resets to the storage devices or overwriting with new data to erase old information.

Purge

Purging uses laboratory methods to permanently erase data in host protected areas and device configuration overlays. Companies should create data purge policies to ensure outdated data is removed regularly to create more storage space for newer data.

Destroy

Destruction also applies laboratory methods to destroy data and the storage device as well. This technique renders data completely unrecoverable by shredding, melting, incinerating, or pulverizing. Destruction is the most effective technique, especially for end-of-life storage devices.

Another important feature in the NIST guidelines for media sanitization is verification. Media sanitization is never complete without verification because confidential data may still be vulnerable to unauthorized access if data sanitization methods are ineffective. NIST lays out two verification options:

  • Verify sanitization applies to all types of data and storage media
  • Verify that data cannot be recovered from storage media

Blancco has automated the verification process for businesses to apply to their preferred sanitization procedures to bridge the gaps created by inadequate sanitization methods.

Best Media Sanitization Practices

Media sanitization best practices for your organization begin with establishing a data destruction policy to run in line with your data retention policy. This policy governing media sanitization means that your company should set out procedures to guarantee that all storage devices and media that are no longer being used have their contents securely sanitized, destroyed, or overwritten, beyond the reach of laboratory attacks advanced data recovery techniques. This will help reduce the risk of data leakage or breaches and help keep your organization in line with all relevant data privacy and data governance obligations.

In addition to a data destruction policy, you should also ensure that you have ready access to all relevant documentation concerning the Chain of Custody charting the handling of all equipment and storage media that are entrusted to third parties, and confirming the processes used to sanitize and destroy all data and media. So, for example, if you engage the expertise of a hard drive destruction service, make sure they provide a certificate of hard drive destruction (or Certificate of Destruction) for each hardware component they dispose of.

What is Hard Drive Disposal Service

Note that most current legislation requiring data management policies and procedures also requires formal documentation of all data retention and destruction activities. So having this documentary evidence will assist your organization in meeting compliance obligations and in passing all the necessary audits.

Various government agencies have also set out formal guidelines and best practices for media sanitization and data destruction. For example, the Department of Defense, in its document DoD 5220.22 recommends that “Functional drives should be overwritten three times prior to disposal or reuse.” And NIST 800-88 states that “Modern hard disks can defy conventional forensic recovery after a single wiping pass.”

If you’re seeking outside help, ARMA International’s book Contracted Destruction for Records and Information Media guides how to obtain data and media destruction services.

Media Sanitization Process and Procedure

The media sanitization procedure below provides guidelines on how to erase data from your storage devices:

1. Define the Scope of Media Sanitization

The scope highlights the number of media devices with sanitized data, data confidentiality levels, and the sanitization process’s business functions. The scope should also include whether the sanitization process will be done on or off premises and which data sanitization company to engage for this exercise.

2. Identify a Data Sanitization Method

The data sanitization method is determined by the scope you defined above. For example, if non-confidential data does not affect customer and business privacy policies, the clear and purge method is ideal. On the other hand, if the data is confidential and can affect business operations, the destruction method is the best choice. The best practice is to engage a data sanitization service to guide you on the best alternative for your needs.

TechReset specializes in data sanitization and other ITAD services. Our data sanitization methods effectively erase data while taking into account data privacy and sanitization cyber security concerns. We apply various techniques such as CMRR secure erase to destroy data from your hard drives and ensure environmentally safe processes.

Once we complete the data sanitization and verification process, we provide you with a detailed report that documents the sanitization results for audit purposes.

Contact us today so we can start the media sanitization process for your IT equipment.

What to Look for in a Hard Drive Disposal Service

Besides sustainable practices and alignment with your own CSR objectives, there are other criteria you can use in assessing a hard drive disposal service that can satisfy your needs.

Be wary of companies that advertise “shredding” but actually use a piston punch methodology. If incorrectly applied, a piston punch can leave data on drives in a recoverable state. Some of the less reputable disposal vendors may also try to outsource hard drive destruction to a third party.

Proper audit trails and documentation can guard against this to a large extent. A reputable hard drive disposal service should have no problem in providing a “Chain of Custody” trail charting each stage in the handling of your equipment — on paper, in photographs, and on video recordings. Some services will go the extra mile by fitting their facilities and transport vehicles with alarms and CCTV monitoring.

Each time the disposal service destroys a hard drive, they should provide a certificate of hard drive destruction, which acts as your documentary evidence of disposal for auditing and regulatory compliance purposes.

Finally, a reliable and NAID-certified hard drive disposal service may provide free quotations based on the number of items to be destroyed and offer a range of destruction methods geared towards different storage technologies.

TechReset specializes in the secure and sustainable disposal of electronic waste (e-waste) and secure erasure or eradication of all confidential data through hard drive shredding or certified data cleansing. We use industry best practices to repurpose older or unwanted IT assets in an environmentally friendly manner, providing our clients with peace of mind—and often money back in your pocket.

Related Posts