Data Sanitization Guideline


Data sanitization is required for Confidentiality and Data Loss Prevention. This document provides Iowa State's surplus store a guideline to Data/Media sanitization. It should not be taken to contradict the mandatory and binding Federal, State or Iowa State contract guidelines and standards. 

NIST SP 800-88

This page provides an overview of NIST 800-88 , the best reference guide to Data sanitization. This document is evaluated yearly for content accuracy, revision or update as per NIST SP 800-88  guidelines for Media Sanitization.

Excerpt from NIST 800-88 Media sanitization guidelines:

"The information security concern regarding information disposal and media sanitization resides not in the media but in the recorded information. The issue of media disposal and sanitization is driven by the information placed intentionally or unintentionally on the media. With the advanced features of today’s operating systems, electronic media used on a system should be assumed to contain information commensurate with the security categorization of the system’s confidentiality. If not handled properly, release of these media could lead to an occurrence of unauthorized disclosure of information…”

Assumption

Before Sanitizing information in the Media, preserve information, if needed, for legal requirements. For more information, visit Iowa State's Records Retention Policy.

Definition of Sanitization

Data sanitization is a process that renders access to media data infeasible for a given level of effort.

A single overwrite pass with a fixed pattern typically hinders recovery of data on storage devices with magnetic media. This is true even when attempts to retrieve the data are state of the art laboratory techniques. However, this method does not address areas not currently mapped to active Logical Block Addressing (LBA) addresses. Dedicated sanitize commands support addressing these areas more effectively.

Cryptographic Erase (CE), is an emerging sanitization technique used in situations when stored data is encrypted. CE sanitizes the cryptographic keys used to encrypt the data as opposed to sanitizing the encrypted data storage locations. CE techniques are typically capable of sanitizing media very quickly and could support partial sanitization. Partial sanitization, sometimes referred to as selective sanitization, is a technique where a subset of storage media is sanitization. It has potential applications in cloud computing and mobile devices.

Background

Without an effective command or interface-based sanitization technique, the only option left may be to destroy the media. In this case, repurposing or reusing the media by other organizations cannot occur.

Educational institutions record and store sensitive and private information outside of central IT systems on various devices and removable media. The information is recorded and maintained by university and college faculty, administrators, and staff members.

Sensitive data may include:

  • Information classified by the institution's administration
  • Information protected by laws such as FERPAHIPAA, GLBA, and state law
  • Information that could lead to identity theft, institutional embarrassment, or loss of personal privacy
  • Licensed software or restricted intellectual property.

Media Types

Physical Media

  • Physical paper
  • Ribbons
  • Drums

Electronic Media

  • Hard Drives (fixed or removable)  - Servers, workstations and laptops
  • RAM(Random Access Memory)
  • ROM(Read Only Memory)
  • Disks
  • Mobile Devices – Implantable and Wearable devices, Smartphones and tablets
  • Computing devices
  • Networking devices
  • Cameras
  • mp3 players (in data mode)
  • USB portable drives (for example, flash drives)
  • SD cards and other removable memory cards
  • CDs and DVDs

Data Sanitization Methods

Organizations should take care in identifying media for sanitization. Many items used will contain multiple forms of media that may require different methods of sanitization. Contact logistics and support services (Iowa State surplus) or your local system administrators for media sanitization. Media Vendors specific to the media should be consulted for best way to sanitize media.

Data Sanitization Approaches

Type of ErasureAverage Time (100 GB)SecurityComments
Normal File DeletionMinutesVery PoorDeletes only file pointers, not actual data
DoD 5220 Block EraseUp to several daysMediumNeed 3 writes + verify, cannot erase reassigned blocks
Secure Erase1-2 hoursHighIn-drive overwrite of all user accessible records
NIST 800-88 Enhanced Secure EraseSecondsVery highChange in-drive encryption key

Sanitization Data Type Control Chart (RECOMMENDED)

Control (as applicable)Data Type
PublicPrivateRestricted
Electronic Media is sanitized prior to reuseRecommendedRequired all Partition and sectorRequired all Partition and sector
Electronic Media is destroyed prior to disposalRecommendedRequiredRequired
Paper-based and/or written Media is destroyed prior to disposalOptionalRecommendedRequired

Sanitization Techniques by Media Type

Clear, Purge, and as needed, Destroy media/device by type.

Disposal: Discarding media without sanitizing. Appropriate if a loss of confidentiality of the information would have no impact on the organization.

Clearing: Protects confidentiality of information against keyboard attack. Overwriting is an acceptable method of clearing.

Purging: Protects confidentiality of information against laboratory attack. Executing the secure erase firmware command on a disk drive and degaussing are acceptable methods of purging. Degaussing is not effective for optical media (e.g., CDs, DVDs).

Destroying: Intent is to completely destroy the media. Disintegration, incineration, pulverizing, shredding and melting are methods to accomplish destruction. Pulverizing, shredding or incineration are methods to destroy Optical media (e.g., CDs, DVDs).

Media / Device TypeClearPurgeDestroyRecommended
Floppy DisksOverwriteDegauss*Incinerate or shredShred
ATA Hard DrivesOverwriteSecure Erase, degauss, or disassemble and degauss the enclosed plattersDisintegrate, pulverize, incinerateSee Data Type control chart
USB Removable DrivesOverwriteSecure Erase, degauss*, or disassemble and degauss the enclosed platters*Disintegrate, pulverize, incinerateDegauss and or Destroy
Zip DisksOverwriteDegauss*Incinerate or shredShred
SCSI DrivesOverwriteSecure Erase, degauss*, or disassemble and degauss the enclosed platters*Disintegrate, pulverize, incinerateSee Data Type control chart
Magnetic TapesOverwriteDegauss*Incinerate or shredDegauss
CDs/DVDsN/AN/AOptical disk grinding device, incinerate, shred.

Current acceptable particle size for shredded disk is nominal edge dimensions of 5 millimeters and surface area of 25 square millimeters. Any future disk media shredders obtained should reduce CD/DVD to surface area of .25 millimeters.

Shred
CamerasNANANAScrubbing all sensitive data from storage devices such as hard
Mobile devices (Phones)Wiping and scrubbing all sensitive data from storage devices such as hard drives and memory cards
Mobile devices (Tablets)OverwriteDegauss*Degauss using a NSA/CSS approved degausserDegauss*

*Degauss must be done using a NSA/CSS approved degausser

Certificate of Media Disposition

Following sanitization, complete Iowa State surplus' excess property disposal form along with a certificate of media disposition for each piece of electronic media that has been sanitized. A certification of media disposition may be a paper or electronic record documenting the action taken. For example, most modern hard drives include bar codes on the label for values such as model and serial numbers. The person performing the sanitization might simply enter the details into a tracking application and scan each bar code as the media is sanitized.

When fully completed, the certificate should record at least the following details:

  • Manufacturer
  • Model
  • Serial Number
  • Organizationally Assigned Media or Property Number (if applicable)
  • Media Type (i.e., magnetic, flash memory, hybrid, etc.)
  • Media Source (i.e., user or computer the media came from)
  • Pre-Sanitization Confidentiality Categorization (optional)
  • Sanitization Description (i.e., Clear, Purge, Destroy)
  • Method Used (i.e., degauss, overwrite, block erase, crypto erase, etc.) § Tool Used (including version)
  • Verification Method (i.e., full, quick sampling, etc.)
  • Post-Sanitization Confidentiality Categorization (optional)
  • Post-Sanitization Destination (if known)
  • For Both Sanitization and Verification:
    • Name of Person
    • Position/Title of Person
    • Date
    • Location
    • Phone or Other Contact Information
    • Signature