Data Sanitization Guideline
Data sanitization is required for Confidentiality and Data Loss Prevention. This document provides Iowa State's surplus store a guideline to Data/Media sanitization. It should not be taken to contradict the mandatory and binding Federal, State or Iowa State contract guidelines and standards.
NIST SP 800-88
This page provides an overview of NIST 800-88 , the best reference guide to Data sanitization. This document is evaluated yearly for content accuracy, revision or update as per NIST SP 800-88 guidelines for Media Sanitization.
Excerpt from NIST 800-88 Media sanitization guidelines:
"The information security concern regarding information disposal and media sanitization resides not in the media but in the recorded information. The issue of media disposal and sanitization is driven by the information placed intentionally or unintentionally on the media. With the advanced features of today’s operating systems, electronic media used on a system should be assumed to contain information commensurate with the security categorization of the system’s confidentiality. If not handled properly, release of these media could lead to an occurrence of unauthorized disclosure of information…”
Before Sanitizing information in the Media, preserve information, if needed, for legal requirements. For more information, visit Iowa State's Records Retention Policy.
Definition of Sanitization
Data sanitization is a process that renders access to media data infeasible for a given level of effort.
A single overwrite pass with a fixed pattern typically hinders recovery of data on storage devices with magnetic media. This is true even when attempts to retrieve the data are state of the art laboratory techniques. However, this method does not address areas not currently mapped to active Logical Block Addressing (LBA) addresses. Dedicated sanitize commands support addressing these areas more effectively.
Cryptographic Erase (CE), is an emerging sanitization technique used in situations when stored data is encrypted. CE sanitizes the cryptographic keys used to encrypt the data as opposed to sanitizing the encrypted data storage locations. CE techniques are typically capable of sanitizing media very quickly and could support partial sanitization. Partial sanitization, sometimes referred to as selective sanitization, is a technique where a subset of storage media is sanitization. It has potential applications in cloud computing and mobile devices.
Without an effective command or interface-based sanitization technique, the only option left may be to destroy the media. In this case, repurposing or reusing the media by other organizations cannot occur.
Educational institutions record and store sensitive and private information outside of central IT systems on various devices and removable media. The information is recorded and maintained by university and college faculty, administrators, and staff members.
Sensitive data may include:
- Physical paper
- Hard Drives (fixed or removable) - Servers, workstations and laptops
- RAM(Random Access Memory)
- ROM(Read Only Memory)
- Mobile Devices – Implantable and Wearable devices, Smartphones and tablets
- Computing devices
- Networking devices
- mp3 players (in data mode)
- USB portable drives (for example, flash drives)
- SD cards and other removable memory cards
- CDs and DVDs
Data Sanitization Methods
Organizations should take care in identifying media for sanitization. Many items used will contain multiple forms of media that may require different methods of sanitization. Contact logistics and support services (Iowa State surplus) or your local system administrators for media sanitization. Media Vendors specific to the media should be consulted for best way to sanitize media.
Data Sanitization Approaches
|Type of Erasure||Average Time (100 GB)||Security||Comments|
|Normal File Deletion||Minutes||Very Poor||Deletes only file pointers, not actual data|
|DoD 5220 Block Erase||Up to several days||Medium||Need 3 writes + verify, cannot erase reassigned blocks|
|Secure Erase||1-2 hours||High||In-drive overwrite of all user accessible records|
|NIST 800-88 Enhanced Secure Erase||Seconds||Very high||Change in-drive encryption key|
Sanitization Data Type Control Chart (RECOMMENDED)
|Control (as applicable)||Data Type|
|Electronic Media is sanitized prior to reuse||Recommended||Required all Partition and sector||Required all Partition and sector|
|Electronic Media is destroyed prior to disposal||Recommended||Required||Required|
|Paper-based and/or written Media is destroyed prior to disposal||Optional||Recommended||Required|
Sanitization Techniques by Media Type
Clear, Purge, and as needed, Destroy media/device by type.
Disposal: Discarding media without sanitizing. Appropriate if a loss of confidentiality of the information would have no impact on the organization.
Clearing: Protects confidentiality of information against keyboard attack. Overwriting is an acceptable method of clearing.
Purging: Protects confidentiality of information against laboratory attack. Executing the secure erase firmware command on a disk drive and degaussing are acceptable methods of purging. Degaussing is not effective for optical media (e.g., CDs, DVDs).
Destroying: Intent is to completely destroy the media. Disintegration, incineration, pulverizing, shredding and melting are methods to accomplish destruction. Pulverizing, shredding or incineration are methods to destroy Optical media (e.g., CDs, DVDs).
|Media / Device Type||Clear||Purge||Destroy||Recommended|
|Floppy Disks||Overwrite||Degauss*||Incinerate or shred||Shred|
|ATA Hard Drives||Overwrite||Secure Erase, degauss, or disassemble and degauss the enclosed platters||Disintegrate, pulverize, incinerate||See Data Type control chart|
|USB Removable Drives||Overwrite||Secure Erase, degauss*, or disassemble and degauss the enclosed platters*||Disintegrate, pulverize, incinerate||Degauss and or Destroy|
|Zip Disks||Overwrite||Degauss*||Incinerate or shred||Shred|
|SCSI Drives||Overwrite||Secure Erase, degauss*, or disassemble and degauss the enclosed platters*||Disintegrate, pulverize, incinerate||See Data Type control chart|
|Magnetic Tapes||Overwrite||Degauss*||Incinerate or shred||Degauss|
|CDs/DVDs||N/A||N/A||Optical disk grinding device, incinerate, shred.|
Current acceptable particle size for shredded disk is nominal edge dimensions of 5 millimeters and surface area of 25 square millimeters. Any future disk media shredders obtained should reduce CD/DVD to surface area of .25 millimeters.
|Cameras||NA||NA||NA||Scrubbing all sensitive data from storage devices such as hard|
|Mobile devices (Phones)||Wiping and scrubbing all sensitive data from storage devices such as hard drives and memory cards|
|Mobile devices (Tablets)||Overwrite||Degauss*||Degauss using a NSA/CSS approved degausser||Degauss*|
*Degauss must be done using a NSA/CSS approved degausser
Certificate of Media Disposition
Following sanitization, complete Iowa State surplus' excess property disposal form along with a certificate of media disposition for each piece of electronic media that has been sanitized. A certification of media disposition may be a paper or electronic record documenting the action taken. For example, most modern hard drives include bar codes on the label for values such as model and serial numbers. The person performing the sanitization might simply enter the details into a tracking application and scan each bar code as the media is sanitized.
When fully completed, the certificate should record at least the following details:
- Serial Number
- Organizationally Assigned Media or Property Number (if applicable)
- Media Type (i.e., magnetic, flash memory, hybrid, etc.)
- Media Source (i.e., user or computer the media came from)
- Pre-Sanitization Confidentiality Categorization (optional)
- Sanitization Description (i.e., Clear, Purge, Destroy)
- Method Used (i.e., degauss, overwrite, block erase, crypto erase, etc.) § Tool Used (including version)
- Verification Method (i.e., full, quick sampling, etc.)
- Post-Sanitization Confidentiality Categorization (optional)
- Post-Sanitization Destination (if known)
- For Both Sanitization and Verification:
- Name of Person
- Position/Title of Person
- Phone or Other Contact Information