The Need
Media sanitization is one key element in assuring confidentiality.
Confidentiality is “Preserving authorized restrictions on information
access and disclosure, including means for protecting personal privacy
and proprietary information…” [44 U.S.C., Sec. 3542] “A loss of
confidentiality is the unauthorized disclosure of information.”
[FIPS-199, Standards for Security Categorization of Federal Information
and Information Systems]
Information disposition and sanitization decisions occur throughout
the system life cycle. Critical factors affecting information
disposition and media sanitization are decided at the start of a
system's development. The initial system requirements should include
hardware and software specifications as well as interconnections and
data flow documents that will assist the system owner in identifying the
types of media used in the system. A determination should be made during
the requirements phase about what other types of media will be used to
create, capture, or transfer information used by the system. This
analysis, balancing business needs and risk to confidentiality, will
formalize the media that will be considered for the system to conform to
FIPS 200, Minimum Security Requirements for Federal Information and
Information Systems.
Media sanitization and information disposition activity is usually
most intense during the disposal phase of the system life cycle.
However, throughout the life of an information system, many types of
media, containing data, will be transferred outside the positive control
of the organization. This activity may be for maintenance reasons,
system upgrades, or during a configuration update.
Trends
Computing technologies change rapidly. Users want more powerful but
compact devices. New technologies constantly increase processing speed
and storage capacity, while decreasing the device size in order to
satisfy this demand. These technologies may require new clearing and
purging techniques. Advancing technology has created a situation that
has altered previously held best practices regarding magnetic disk type
storage media. Basically the change in track density and the related
changes in the storage medium have created a situation where the acts of
clearing and purging the media have converged. That is, for ATA disk
drives manufactured after 2001 (over 15 GB) clearing by overwriting the
media once is adequate to protect the media from both keyboard and
laboratory attack.
Decisions
Several factors should be considered along with the security
categorization of the system confidentiality when making sanitization
decisions. The cost versus benefit of a media sanitization process
should be understood prior to a final decision. For instance, it may not
be cost-effective to degauss inexpensive media such as diskettes. Even
though clear or purge may be the recommended solution, it may be more
cost-effective (considering training, tracking, and validation, etc) to
destroy media rather than use one of the other options. Organizations
can always increase the level of sanitization applied if that is
reasonable, and indicated by an assessment of the existing risk.
Organizations should consider the following environmental factors. Note
that the list is not all-inclusive:
1. What types (e.g., optical non-rewritable, magnetic) and size
(e.g., megabyte, gigabyte, and terabyte) of media storage does the
organization require to be sanitized?
2. What is the confidentiality of the data stored on the media?
3. Will the media be processed in a controlled area?
4. Should the sanitization process be conducted within the organization
or outsourced?
5. What is the anticipated volume of media to be sanitized by type of
media?
6. What is the availability of sanitization equipment and tools?
7. What is the level of training of personnel with sanitization
equipment/tools?
8. How long will sanitization take?
9. What type of sanitization will cost more considering tools,
training, validation, and reentering media into the supply stream?
National Institute of Standards and Technology, NIST Special
Publication 800-88
Call or
Email Us for a quote!