Data Retention and Destruction (T. Kwok) - ISA/BIT Learning Center
October 30, 2017 | Author: Anonymous | Category: N/A
Short Description
Jul 1, 2011 ITSG-06: Clearing and Declassifying Electronic Data Storage . ITSG-06 is another framework for data destru&n...
Description
Data Retention and Destruction By Thomas Kwok
July 1, 2011
Contents Executive Summary ............................................................................................................................ ii Introduction ........................................................................................................................................1 Background Information ......................................................................................................................1 Definitions ......................................................................................................................................1 Data Retention.............................................................................................................................1 Data Destruction ..........................................................................................................................1 Current Issues ................................................................................................................................1 Staples Business Depot ...............................................................................................................1 Testing on Used IT Equipment ......................................................................................................2 C-Level Executives .........................................................................................................................3 Frameworks .......................................................................................................................................4 ,
ISO 15489: Information and Documentation – Records Management ................................................4 Background .................................................................................................................................4 Scope .........................................................................................................................................5 Records to be Captured ...............................................................................................................5 Length of Ret ention ......................................................................................................................5 Physical Storage Medium and Protection .......................................................................................6 Access, Retrieval and Use ............................................................................................................7 NIS T 800-88: Guideline for Media Sanitization ..................................................................................7 Background .................................................................................................................................7 Scope .........................................................................................................................................7 Description of Sanitization Techniques and Methods ......................................................................7 Deciding on a Sanitization Technique and Met hod .........................................................................8 On-Site or Off-Site Sanitization .....................................................................................................9 ITSG-06: Clearing and Declassifying Electronic Data Storage Devices ............................................. 10 Background ............................................................................................................................... 10 Scope ....................................................................................................................................... 10 Data Sanitization Techniques ..................................................................................................... 10 Conclusion ....................................................................................................................................... 11 Appendix A: Sanitization and Disposition Decision Flow ...................................................................... 13 Bibliography ..................................................................................................................................... 14 Annotated Bibliography ..................................................................................................................... 16
i
EXECUTIVE SUMMARY The purpose of this paper is to provide guidance to C-level executives on data retention and destruction. This paper outlines the data retention and destruction definitions, current issues, relationship to C-level executives, and frameworks. Data retention can be defined as the storing of data for a set amount of time, usually for business purposes or to meet legal requirements. Data destruction can be defined as a way of destroying data that cannot be recovered, to a certain degree of effort. Some of the current issues related to data retention and destruction include a discussion on Staples Business Depot (Staples), and Kroll Ontrack’s testing of used IT equipment. The privacy commission of Canada scolded Staples for its poor retention decisions and lack of sanitization of its leased photocopiers and devices for resale. Kroll Ontrack’s findings showed how organizations are unaware of proper sanitization techniques. C-level executives should learn more about data retention and destruction: to comply with laws and regulations including SOX-like standards; to avoid over-retaining data that would violate laws and regulations, such as the Personal Information Protection and Electronic Documents Act and the Data Security Standard; to properly apply data sanitization techniques to data; to maintain a good reputation with the public; and to provide efficiency to the organization. ISO 15489 is a records management framework. In terms of data retention and this paper, ISO 15489 discusses the records to be captured, length of data retention, physical storage medium and protection, and access, retrieval and use of data. NIST 800-88 is a framework for data destruction. This framework describes sanitization methods and techniques, and describes the decision process to selecting a sanitization technique. ITSG-06 is another framework for data destruction. For the purpose of this paper, this framework provides additional information on sanitization techniques. Overall, C-level executives need to be more aware of data retention and destruction.
ii
INTRODUCTION The purpose of this paper is to inform C-level executives on data retention and destruction and more specifically, its definitions, its current importance as showcased through current issues, how it affects C-level executives, and the frameworks that can be used to help organizations adopt appropriate data retention and destruction practices.
BACKGROUND INFORMATION Definitions Data Retention Data retention is the storing of data for a set amount of time, usually for business purposes or to meet legal requirements. Data Destruction Data destruction can be defined as a way of destroying data that cannot be recovered, to a certain degree of effort.
1
Data destruction may be referred to as data sanitization for the purposes of this
paper.
Current Issues Staples Business Depot On June 21, 2011, Canada’s privacy commissioner, Jennifer Stoddart, released a detailed audit report on Staples Business Depot (Staples). The report indicated that Staples had kept some personal order information from customers for longer retention periods than necessary. The report stated that under the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations shou ld only retain information for its original purpose of collection and should be disposed of shortly thereafter, unless the organization receives consent from customers to retain the information. The report recommends Staples to limit the retention period of personal information, regarding the online order forms, to a period that allows customers to review and fix any issues related to the order. Jennifer Stoddart was quoted in the report as saying, “Although Staples says it will inform customers that onli ne submissions will be stored for one year, it is our Office view that this information is being retained longer
1
"Data Destruction." Bitpipe.com, 2011. Web. 30 June 2011. . 1
2
than necessary” . The issue here is that Staples may have been violating government laws, by retaining information longer than it needed to.
3
Furthermore, the Staples audit report also mentioned Staples’ inability to verify the destruction of data on its leased photocopiers. Some of Staples’ photocopiers contain hard drives that automatically retain an image of a customer’s photocopy. After a leased photocopier has reached the end of its lease period, the photocopier is returned to the appropriate supplier. In an agreement between Staples and its supplier, the supplier is responsible for wiping the hard drives before disposing, recycling or reusing the photocopier. The issue here is that Staples does not verify that the supplier has actually wiped the hard drives before disposing, recycling or reusing the photocopier. Thus, Staples did not exercise due diligence for its customers’ personal information when returning its leased photocopiers.
4
In addition, Staples’ business sells many electronic devices with storage media. The audit report stated that Staples did not properly sanitize the data on the storage media, if the products were previously returned or exchanged by customers. The report indicated that of the 149 devices tested, 54 of them still contained customer data. Thus, personal information of the original customer was being passed onto a new customer on the resale of the device. This problem exemplifies Staples’ lack of knowledge in proper procedures for data sanitization and data sanitization techniques.
5
Testing on Used IT Equipment A leading provider of information management, Kroll Ontrack purchased a used laptop, desktop and server to perform tests on whether it could find residual information left on the equipment. In particular, the server was owned by a U.S. corporation with offices in Sydney and the server was supposedly already wiped, as per the advertisement description for the server. In total 170GB of recoverable information was found on the three devices. Specific to the server, Kroll Ontrack identified that the server was partially wiped, but not fully. Kroll Ontrack also identified the previous owner of the server, which was a large multinational financial services company. Therefore, the issue in this case appears to be that the company reselling its server did not fully comprehend or use proper data sanitization techniques.
6
2
Roseman, Ellen. "Roseman: Why Is Staples Keeping Our Private Purchase Data?" Thestar.com. 22 June 2011. Web. 30 June 2011. . 3 "Audit Report of the Privacy Commissioner of Canada Staples Business Depot." Office of the Privacy Commissioner of Canada. 2011. Web. 01 July 2011. . 4 Ibid. 5 Clark, Edward. "Staples Fails to Delete Data, Report Finds." Ontrack Data Recovery. 23 June 2011. Web. 01 July 2011. . 6 Ontrack, Kroll. "Kroll Ontrack Encourages Caution for New Financial Year IT Deployments." CFO World. 21 June 2011. Web. 01 July 2011. . 2
C-Level Executives C-level executives must be aware of data retention in order to comply with government laws and regulations. In the United States, SOX has record retention requirements that companies must follow. For example, “in May 2005, Morgan Stanley was ordered to pay $1.45 billion in a civil lawsuit, due in 7
large part to failure to properly produce electronic documents” . As well, SOX requires having proper financial records management as it helps auditors by providing adequate and sufficient audit evidence.
8
With the fallout of several companies and the SOX requirements imposed by the United States, Canada responded with its own laws and regulations. In Canada, government laws and regulations have implemented SOX-like standards in a step-by-step manner. The standards include a set of retention requirements that C-level executives in Canada would need to understand.
9
The illustration noted earlier in this paper, regarding the data held by Staples, also shows other laws that have data retention requirements. Organizations need t o look out for and ensure they are in compliance PIPEDA. As well, each industry may have its own regulations over specific record retention requirements and sometimes retaining too much data can be a problem. For example, businesses in the restaurant or retail industry in particular, must be aware of and follow standards set by the Payment Card Industry. The Data Security Standard (DSS) is meant to help protect private information for customers and to prevent fraudulent behavior from happening with debit and credit cards. In one specific case, an attacker had access to a restaurant’s software, which held customers’ credit card information. The software also held magnetic stripe information for each card, which is prohibited under the DSS. The business was liable to the data that was leaked (which leaked over a 5 year period) and thus, liable to the $1 million of fraudulent losses that resulted from improper retention of data. An executive at Visa stated that most companies that are compromised for not following the DSS end up folding in 6-12 months, after being caught. He also suggested that there is no reason for businesses to hold data for longer periods than required, as each additional day of holding confidential data is taking on additional liabili ty.
10
Thus,
this example illustrates the cost of retaining too much data, and how data destruction is also important to these companies that hold sensitive customer information. Aside from the direct financial consequences to these retention requirements, Staples, in particular, has attracted media attention to its poor habits. With this negative attention, Staples reputation
7
The Exchange Team. "Records Management: Why Do We Care?" Microsoft Exchange. 23 Aug. 2006. Web. 25 June 2011. . 8 Queen, Patrick. "Records Management: A Critical Success for SOX Compliance." Sarbanes-Oxley Compliance Journal. 20 Mar. 2009. Web. 26 June 2011. . 9 "The Corporate Governance Landscape in Canada." Deloitte & Touche LLP, 2007. Web. 28 June 2011. . 10 Jackson, Brian. "Small Firms Must Comply with Security Standards or Be Held "liable" for Breaches." ITbusiness.ca. 13 Mar. 2009. Web. 28 June 2011. . 3
will be harmed. By not following proper laws and regulations, organizations will face scrutiny from the public, which ultimately results in a lower bottom line. The current issues mentioned earlier in this paper, regarding data destruction, also illustrate how many companies give very little attention to data destruction. According to a study done by International Data Corporation, 60% of corporate data remains on desktops and laptops.
11
Companies need to ensure
that data on these computers are properly sanitized, to avoid confidential corporate data from leaking out to possible competitors. Data destruction can also provide efficiency to a system, by eliminating duplicate data. Searching for information in a system becomes much easier. Furthermore, eliminating duplicate data frees space on a storage media.
12,13
FRAMEWORKS The following section provides a discussion of three data retention and destruction frameworks. These frameworks help provide insight on the best practices for data retention and destruction. The first framework relates to the retention of data, while the second and last framework relates to data destruction.
ISO 15489: Information and Documentation – Records Management14,15 Background The International Organization for Standardization (ISO) created ISO 15489: Information and Documentation – Records Management (ISO 15489) to bring attention and protection to records and to provide information on how to efficiently and effectively retrieve information from records, using standard practices and procedures. ISO 15489 is split into two parts: a general section (Part 1) and a technical section (Part 2). The general section is aimed to provide guidance to all individuals in an organization, including managers of an organization and records management professionals. The technical section is 11
Hanks Fri, Keith. "Understanding Data Destruction: What the CIO Needs to Know." CIO.com. 18 May 2007. Web. 28 June 2011. . 12 Phillips, Paulie. "Data De-duplication Addresses Storage Headaches." Ontrack Data Recovery. 8 June 2011. Web. 01 July 2011. . 13 Button, Polly. "Data De-duplication Helps Combat Spiralling Storage Costs." Ontrack Data Recovery. 4 May 2011. Web. 01 July 2011. . 14 "Information and Documentation - Records Management - Part 1 (ISO 15489)." International Standard ISO, 2001. Web. 23 June 2011. . 15 "Information and Documentation - Records Management - Part 2 (ISO 15489)." International Standard ISO, 2001. Web. 23 June 2011. .
4
intended for just records management professionals. ISO 15489 is based on another set of standards, Australian Standards 4390: Records Management. Scope While ISO 15489 covers the broad topic of records management, the focus of this section of the paper is on data retention. Therefore, this section of the paper will only take pieces of information from Chapter 8: Design and Implementation of a Records System and Chapter 9: Records Management Processes and Controls of Part 1 and Chapter 4: Records Processes and Controls of Part 2. While Part 2 was created for records management professionals, there are still some valuable ideas and information that can be extracted from the standards and that are still understandable for non-technical users. Therefore, the following section describes key areas related to data retention noted in ISO 15489. Records to be Captured Not all records need to be captured into a records system. The records to be captured should be based on regulatory environment, business and accountability requirements and the risk of not capturing the records. Each organization will have its own unique retention requirements, depending on the type of organization and the legal and social aspect of the industry the business is in. For example, laws and regulations may demand certain data to be retained and it may be specific to a country, industry type, organization type, or product. Length of Retention Similar to the reasons to capture records, the length of retention should be determined based on the regulatory environment, business and accountability requirements, and the risks (of holding the records and of not holding the records). In analyzing and assessing these determining factors, the department or unit overseeing the specific business activity, the records manager, and others should work together to ensure the records are retained in accordance to the requirements related to the particular records and the management policies that the organization has implemented. In some cases, there will be laws and regulatory requirements to retain records for a certain time period. For example, in order to complete an audit of an organization, the organization may be required to hold records for 10 years following the date of the transaction. ISO 15489 describes a 5-step analysis on how long records should be retained for. The 5-step analysis is described below. 1.
Verify legal and administrative requirements These requirements are dependent on laws and regulations in the particular jurisdiction. As described earlier in this paper, there are many issues with the legal and administrative requirements. Not following these requirements can have deep financial repercussions.
2.
Understand the purpose of the records within the system There are two types of records: core records and records of multiple individual transactions. Core records can be described as the records that are used repeatedly. 5
Records of multiple individual transactions refer to the core records. Core records are usually kept for longer periods than records of multiple individual transactions. For example, a sick leave (ie. when an employee is sick for one day) could be considered a record of an individual transaction. The sick leave history (the number of sick leave days taken while employed at the organization) could be considered a core record. Thus, records of individual transactions (ie. all of the individual sick leave records of the employee) can create a total for the core record. Each record of individual transaction can be removed quickly after the transaction has been completed, while the core records (ie. the sick leave histories of employees) will stay in the system until the employee is no longer with the organization. Another way to distinguish a record is by the nature of the business activity for the transaction. For example, a doctor’s transactional medical records of a patient may need to be kept longer than transactional records to purchase supplies. 3.
Determine relationships and links with other systems The records in one system may be relying on another system. For example, system A’s records may use information from system B’s records. Therefore, the length of retention for system B’s records may be dependent on the length of retention for system A’s records.
4.
Examine different uses of the records ISO 15489 suggests five different thoughts on the use of records: 1) Other stakeholders may have an interest in keeping records for a longer period than management; 2) Management will need to assess the risks with destroying the records, after internal use of the records has been completed; 3) The organization should decide on which records are necessary for business continuity purposes; 4) There may be other financial, political or social reasons to retain records; 5) The organization should determine the cost-benefit of retaining the records after the original needs of the records have been completed, where the benefits are for non-financial purposes.
5.
Decide on the retention period, based on the previous steps After going through the previous four steps, the final step is to decide on the length of retention for records of similar nature.
Physical Storage Medium and Protection The physical elements relating to records management systems include the storage environment, storage media, physical protective materials, handling procedures and storage systems. The decision on what environment, media and protective materials to choose can be decided based on knowing how long records will need to be kept, and for what purpose the data will be used for. The storage media chosen should ensure that the record’s usability, reliability, authenticity, and perseveration are kept intact for as long as the retention period. 6
Handling procedures and storage systems are additional items that need to be considered for effective records management. These items can also help prevent data from being damaged, destroyed or misplaced, as in the case of a disaster. As well, handling procedures and storage systems will help protect records from unauthorized access and theft. Access, Retrieval and Use The records management system should restrict those that do not require entry into the system on a regular basis to protect the integrity of the data and meet accountability requirements. There’s no use of having data in a system if you can’t retrieve it. Retrieval of data should be done in a timely manner for efficiency and compliance purposes. As well, controls should be in place to protect any unauthorized use of the data, including changing, moving or destroying the data.
NIST 800-88: Guideline for Media Sanitization 16 Background The National Institute of Standards and Technology (NIST) developed the NIST 800-88: Guideline for Media Sanitization (NIST 800-88) as required through statutory law. The purpose of NIST 800-88 was to develop proper methods for sanitization and disposal, to prevent unauthorized access to the information contained on specific storage media. NIST 800-88 was intended to be read by anyone interested in protecting confidential information, including federal agencies, businesses and home users. Scope The focus of this section will be to provide a brief overview of the main sanitization techniques and methods, and on how to make decisions on choosing an appropriate sanitization technique and method. While NIST 800-88 was meant to be read by anyone, the focus of this section will be for businesses (ie. not federal agencies in particular or home users). Description of Sanitization Techniques and Methods Before discussing different sanitization techniques and methods, one option that is not included as a sanitization method is disposal. Not all storage media needs to be sanitized. For these types of storage media, they can simply be tossed out, without any special sanitization method or other treatment. For example, regular recycling of paper is considered disposing of the media. For the purpose of this paper, a sanitization method is a broad category, made up of a set of sanitization techniques. NIST 800-88 places sanitization techniques into 3 major methods: 1.
Clearing
16
Kissel, Richard, Matthew Scholl, Steven Skolochenko, and Xing Li. "Guidelines for Media Sanitization." National Institute of Standards and Technology, Sept. 2006. Web. 28 June 2011. .
7
A sanitization method that protects information on the storage media from keyboard attacks. A keyboard attack is an attempt to retrieve data through regular input devices and data scavenging tools. An example of clearing technique is having the original data overwritten by new random data. This can be accomplished by using overwriting software or hardware. 2.
Purging A sanitization method that protects information on the storage media from laboratory attacks. A laboratory attack is an attempt to retrieve data through nonstandard systems. Usually, data recovery specialists would operate these systems to conduct data recovery attempts outside the storage media’s regular operating environment. An example of a purging technique is degaussing. Degaussing is described as “exposing the magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains”. A degausser uses a strong magnet or electromagnetic coil to disrupt the recorded magnetic domains. Degaussing is useful to quickly sanitize damaged storage media or storage media with large amounts of data. If a storage media has firmware on it, the storage media may become unusable after the degaussing process.
3.
Destroying This sanitization method is the physical destruction of storage media. The physical destruction of storage media makes the storage media unusable. NIST 800-88 splits the physical destruction methods into two main classifications: 1) disintegration, incineration, pulverization, and melting; and 2) shredding. The first classification should completely destroy the storage media either by completely changing the form of the storage media or by making the storage media into powder (or particle) form. The second classification merely disaggregates the storage media into smaller portions. Shredding, therefore, can leave some data intact. The idea is that the pieces should be small enough that information on the storage media cannot be reconstructed. Thus, the distinction between the first classification and s econd classification is that the first classification does a more thorough job of destroying the data on the storage media.
Deciding on a Sanitization Technique and Method Before deciding on a sanitization method, an organization would need to decide whet her sanitization is even needed (which can be based on the confidentiality of the information on the storage media), and if it is, when to sanitize the data (which can be based on the retention period of records discussion noted in ISO 15489). In deciding on which sanitization method to use, NIST 800-88 suggests basing the decision first on the confidentiality of the information. Less confidential information on the storage media means that a
8
weaker sanitization method can be used. In general, the order of strength of the sanitization methods, from weakest to strongest is: clearing, purging and destroying. Then, the organization must consider whether they plan on reusing the storage media (or similarly, plan on giving it to another organization for reuse). This decision may be made as it helps save organizations money or acts as a sale to another organization. If they do plan on reusing the storage media, they may not need to apply such a strong sanitization method. Another consideration is whether the storage media will leave the organization’s control and who has access to the storage media. Storage media is generally considered under the organization’s control when the storage media needs to be maintained and there are agreements in place with a maintenance provider (ie. a person or organization that helps sanitize data) to keep information on the storage media confidential, while sanitizing the data. Storage media can also be considered under the organization’s control when the sanitization is being conducted by the organization or maintenance provider at the organization’s site. If the sanitization is being conducted by the maintenance provider, the sanitization process must be supervised by the organization. On the other hand, storage media may not be under organization control when the storage media is being exchanged due to warranty, cost rebate or for other reasons. If the organization is not returned a particular storage media, then it will not be under the organization’s control. If the storage media leaves the organization’s control, then a stronger sanitization method will need to be considered when compared to a storage media staying within the organization’s control. Appendix A illustrates the decision process of first, basing the decision on the confidentiality of the data (ie. low confidential information means low security required), then if applicable, questioning if the storage media will be reused, and finally, questioning if the storage media will be leaving the organization’s control. At the end of the sanitization process, a sample of the storage media should be verified for sanitization and afterwards, documented. Note that this appendix is for guidance only and may not represent the most appropriate sanitization method. Table A-1: Media Sanitization Decision Matrix in NIST 800-88 provides a long list of recommendations of the specific sanitization techniques that could be chosen to sanitize data on a particular storage media, after coming to a conclusion on which sanitization m ethod to use. A cost-benefit analysis should be conducted to assess whether performing a particular sanitization technique is necessary. On-Site or Off-Site Sanitization Environmental factors should also be considered in the sanitization process. For ex ample, while not explicitly mentioned in NIST 800-88, the organization must ask itself, “Should we sanitize the data onsite or off-site?” The assumption here is that the sanitization will be done by a third party (either on-site or off-site). While generally more expensive, there are several advantages to having data sanitized on-site. First, liability is minimized as the storage media is not transferred from one location to another. In the transfer of the storage media from one location to another, there is a chance to lose the storage media or 9
have the storage media stolen. Second, on-site sanitization usually means that the organization will be able to physically see the storage media being sanitized. Depending on the sanitization method, this can be a form of verification that the storage media is actually sanitized. Third, even though agreements will be signed to maintain confidentiality of the information on the storage media, anytime confidential information is sent to a third party, there is the possibility that they will use access and ues the confidential information contained on the storage media. Thus, on-site sanitization can prevent third parties from accessing the storage media.
17
ITSG-06: Clearing and Declassifying Electronic Data Storage Devices 18 Background The Communications Security Establishment Canada created ITSG-06: Clearing and Declassifying Electronic Data Storage Devices (ITSG-06) under The Information Technology Security Guide (ITSG) to help provide guidance to government IT authorities. Specifically, ITSG-06 describes methods to prepare storage media for declassification (which is equivalent to sanitization in NIST 80088), reuse and disposal. Scope This section of the paper is meant to be read in conjunction with the NIST 800-88 section. That is, information in this section will rely on or relate to NIST 800-88. This section of the paper will provide additional information on data sanitization techniques, while contrasting differences with NIST 800-88. Since ITSG-06 is meant to be used by government IT authorities, some of the guidance in ITSG-06 is very specific. This section will only provide a broad overview of the data sanitization techniques in order to relate to businesses. Data Sanitization Techniques ITSG-06 has 9 different sanitization techniques. Degaussing was described earlier as a technique under purging methods. ITSG-06 describes degaussing similarly to NIST 800-88 degaussing definition. Shredding and disintegration, grinding and hammer-milling, and incineration were described earlier (using different terms) as techniques under destroying methods. ITSG-06 describes these techniques similarly to NIST 800-88’s definitions. The materiel/molecular separation by high-speed centrifuge technique was mentioned but not thoroughly analyzed in ITSG-06; thus, this technique will not 17
Tillman, Don. "On-Site Data Destruction of Magnetic Data Following U.S. Standards."StorageNewsletter.com. 4 Feb. 2010. Web. 29 June 2011. . 18 "Clearing and Declassifying Electronic Data Storage Devices." Communications Security Establishment of Canada, July 2006. Web. 27 June 2011. .
10
be discussed. Therefore, there are 4 remaining techniques to be discussed in relation to NIST 800-88. The following techniques were either not specifically discussed in NIST 800-88 or contain some differences to NIST 800-88: 1.
Encryption While encryption is not usually seen as a sanitization technique, encrypting an entire storage media can be considered as a clearing method. More specifically, encrypting the entire storage media can be seen as changing the storage media’s data into a defined unreadable form. The effectiveness of encryption is dependent on the strength of the cryptographic protection scheme and the management of the encryption key.
2.
Overwriting Overwriting is a similar process to the one described in the NIST 800-88 section, under the clearing method. However, ITSG-06 describes overwriting more specifically as writing “1”s and “0”s over all bits in the storage media. ITSG-06 also describes a process called “Triple Overwrite”. This process starts by writing over all the bits on the storage media with either all “1”s or all “0”s; then, write over all the bits on the storage media with the complement, or opposite number, to the first write; and finally, using a pseudorandom number generator, write over all the bits on the storage media with “1”s and “0”s so the pattern can be tracked by the user.
3.
Physical Deformation Tools such as a sledge hammer, nail gun and vice can be used to physically deform a storage media. Using these tools can be considered under the destroying method. The purpose of using these particular types of tools is only for emergency situations. It is meant to slow, stop or discourage an attacker from trying to obtain data from the storage media.
4.
Knurling Using a special machine, pressure and heat are applied to optical disks. This can be considered as a destroying method. Knurling stretches and curls the optical disks, effectively destroying the data on the storage media.
CONCLUSION C-level executives need to be more aware of data retention and destruction. Current issues related to Staples and the used IT equipment exemplifies the problems that organizations may face. There are many laws and regulations that C-level executives need to consider for their companies’ data retention and destruction practices. There’s also a delicate balance between the retention and destruction of data. Organizations must retain enough data to comply with laws and regulations, but must beware of retaining too much data where they face legal liabilities. The frameworks in this paper provide an overview of data retention and destruction. For this paper specifically, IS O 15489 describes the retention-
11
related aspects that C-level executives should understand. This includes discussion on the length of retention of data. NIST 800-88 and ITSG-06 offer sanitization methods and techniques that C-level executives should be aware of in the data destruction process. As well, the discussion on NIST 800-88 can help a C-level executive choose a sanitization method based on a few factors including the level of confidentiality of the data. This will ensure that data is properly sanitized and will help prevent issues from arising due to poor data retention and destruction practices.
12
APPENDIX A: SANITIZATION AND DISPOSITION DECISION FLOW
Source: http://csrc.nist.gov/publications/nistpubs/800-88/NIS TSP800-88_rev1.pdf
13
BIBLIOGRAPHY "Audit Report of the Privacy Commissioner of Canada Staples Business Depot." Office of the Privacy Commissioner of Canada. 2011. Web. 01 July 2011. . "Clearing and Declassifying Electronic Data Storage Devices." Communications Security Establishment of Canada, July 2006. Web. 27 June 2011. . "Data Destruction." Bitpipe.com, 2011. Web. 30 June 2011. . "Information and Documentation - Records Management - Part 1 (ISO 15489)." International Standard ISO, 2001. Web. 23 June 2011. . "Information and Documentation - Records Management - Part 2 (ISO 15489)." International Standard ISO, 2001. Web. 23 June 2011. . "The Corporate Governance Landscape in Canada." Deloitte & Touche LLP, 2007. Web. 28 June 2011. . Button, Polly. "Data De-duplication Helps Combat Spiralling Storage Costs." Ontrack Data Recovery. 4 May 2011. Web. 01 July 2011. . Clark, Edward. "Staples Fails to Delete Data, Report Finds." Ontrack Data Recovery. 23 June 2011. Web. 01 July 2011. . Hanks Fri, Keith. "Understanding Data Destruction: What the CIO Needs to Know."CIO.com. 18 May 2007. Web. 28 June 2011. . Jackson, Brian. "Small Firms Must Comply with Sec urity Standards or Be Held "liable" for Breaches." ITbusiness.ca. 13 Mar. 2009. Web. 28 June 2011. . Kissel, Richard, Matthew Scholl, Steven Skolochenko, and Xing Li. "Guidelines for Media Sani tization." National Institute of Standards and Technology, Sept. 2006. Web. 28 June 2011. . Ontrack, Kroll. "Kroll Ontrack Encourages Caution for New Financial Year IT Deployments." CFO World. 21 June 2011. Web. 01 July 2011. . Phillips, Paulie. "Data De-duplication Addresses Storage Headaches." Ontrack Data Recovery. 8 June 2011. Web. 01 July 2011. .
14
Queen, Patrick. "Records Management: A Critical Success for SOX Compliance." Sarbanes-Oxley Compliance Journal. 20 Mar. 2009. Web. 26 June 2011. . Roseman, Ellen. "Roseman: Why Is Staples Keeping Our Private Purchase Data?" Thestar.com. 22 June 2011. Web. 30 June 2011. . The Exchange Team. "Records Management: Why Do We Care?" Microsoft Exchange. 23 Aug. 2006. Web. 25 June 2011. . Tillman, Don. "On-Site Data Destruction of Magnetic Data Following U.S. Standards."StorageNewsletter.com. 4 Feb. 2010. Web. 29 June 2011. .
15
ANNOTATED BIBLIOGRAPHY Author
Title of Article
Periodical/ website
Smith, Julian Zbogar
Records TechNet Blogs Management: Why Do We Care?
Vol. / No. / Edition N/A
Year published
Pages
Date accessed
Location, data base, website, link
2006
N/A
May 28, 2011
The Microsoft Exchange Team Blog
http://blogs.technet.com/b/exchange/archive/2006/ 08/23/ 3394778.aspx Annotation At a broad level, records management is defined as the way in which an organization deals with their stored information. This includes the development of a system that will manage what type of information is kept, the controls with regards to the accessibility of the information and how users can increase their productivity by having simplified ways to access the information quickly. There are also laws and regulations that exist to govern records management. While this topic existed many years ago, there have been significant changes in the past decade th at triggered discussion on this topic. The following are some changes; There is a growing amount of data, much more than there used to be It has become more expense to manage records, not because of the storage costs (in fact, storage costs has decreased), but be cause legal penalties for mismanaging information has significantly increased New laws, such as SOX, and court judgements made individuals more liable for mistakes and negligence in records management Author
Title of Article
Periodical/ website
Vol. / No. / Edition
Year published
Pages
Date accessed
Location, data base, website, link
Queen, Patrick
Records Management: A Critical Success for SOX Compliance
Sarbanes Oxley : Technology : Records Management
N/A
2009
N/A
May 28, 2011
Sarbanes-Oxley Compliance Journal
http://www.s-ox.com/dsp_getFeaturesDetails.cfm?CID=2455 Annotation While SOX has been evolving over the past few years, records management compliance has become a critical success factor in controlling business processes, providing accurate financial reporting and reliable audit findings. To comply with SOX, public companies have to document, test and assess their internal control procedures. This includes having adequate financial records management because this process supports t he accuracy of financial transactions. To meet the compliance requirements today, an organization should: Be compliant with SOX audits, which means that the company should conduct self-audits and also have solutions that are auditable Ensure that records management process includes both paper documents and electronic documents
16
-
Have proper version control where the company formally agrees on how to manage draft versions of documents and these decisions should be incorporated into the records management policies The document lifecycle process must include a formal litigation hold process – this means that the records destruction process must stop for related records when notified of legal action as well as any anticipated foreseeable legal action Working disaster recovery plans Ensure that financial records are retained for the specified period of time, recognizing that there are requirements beyond S OX such as other state regulations and laws. It is also important that the companies can locate the data when requested by the regulatory bodies Ensure that electronic records management is included in the formal compliance strategy since companies now heavily rely on e lectronic data and documents As technology and laws continue to evolve, those companies that have effective records management will be better equipped to maintain data to better support their business operations and be compliant with the regulatory bodies. Author
Title of Article
Periodical/ website
Vol. / No. / Edition
Year published
Pages
Date accessed
Location, data base, website, link
Data Capture Solutions Ltd.
ISO 15489 – the essentials
N/A
N/A
2005
N/A
May 28, 2011
Google
http://www.dcs-filestore.co.uk/contact/pdf1.php?pdflink=IS O%2015489% 20 -%20The%20Essentials.pdf Annotation This article contains the essential components that are described in ISO 15489 (Information and documentation – records management), which are global standards that provide guidance to companies to effectively create, manage, and store records, acknowledgi ng that each business has very unique demands and challenges for its records. The standards provide for a framework of best practices to follow and ada pt for each company. Adopting ISO 15489 will allow companies to demonstrate an approach to records management that is recognized around the world and adds confidence to dealing with global business partners and clients. The standard is split into two parts – part I provides a general overview and examines the principles and methodologies for adoption; part II provides more practical approaches that organizations can use as the basis of their system development. The reason that we need proper records management is because records are valuable assets to a business that requires protecti on and preservation. These records need to be retained to support business processes and functions and thus, these records need to be accurate and authentic. Proper record keeping will also help with retaining only essential information to increase efficiency of the busin ess processes, which will improve the competitiveness of the business. A critical step in the framework is to investigate the company’s current recordkeeping methods, and what type of information is retained from the business processes. This analysis of the currently process will help identify the strengths and weaknesses of the system. It is also essential to assess the regulatory and legal record-keeping obligations that the company has to meet. To implement successfully, it is important to gain top management support and proper allocation of resources. The first step is preliminary planning, which will help gain this support. The next step is to analyze the business activity and see where records manageme nt fits into the business processes. With this information, the company should clarify its requirements with and define what it truly needs from the new records management system. With the company’s perceived requirements, the company can now identify the gap between the existing syste m and such requirements. The next step would be to form a written policy that will eventually be distributed to the company’s employees that described the 17
standards that the company wishes to achieve and maintain. The company can now convert the policy into an actual plan and the n actually implement the plan. It is important to fully document the system, adequately train the staff to use it, and also continuously monitor the system. Note: Although this article was written in 2005, more than 5 years from the current year, this article is essential because i t contains the concepts included in the ISO 15489 global standards written in 2001, providing guidance to records management. Author
Title of Article
Periodical/ website
Vednere, Ganesh
Records SC Magazine management and privacy: Conflict or convergence?
Vol. / No. / Edition N/A
Year published
Pages
Date accessed
Location, data base, website, link
2009
N/A
May 28, 2011
SC Magazine
http://www.scmagazineus.com/records-management-and-privacy-conflict-or-convergence/article/148302/ Annotation Managing privacy used to be simple - it could be done by securing firewalls, having strong passwords and through encryption. However, with so much data being digitized today, data sets are available in more than one repository online, and thus, these simpl e controls would not suffice. Therefore, organizations established formal information security and privacy teams to secure data, prevent unauthorized acces s and use of the database. While records management focuses on the ease of accessibility of records and privacy focuses on preventing unauthorized access of information, the two concepts actually converge. The key principles of records management and privacy overlap: reliability, i ntegrity of information and guaranteeing authenticity. Therefore, it is important for record managers to understand privacy and add value in areas such as policies, procedures and controls of the company. Also, it is important for organizations to manage these programs together to promote joint collaboration. The following are some areas where if managed properly, privacy and records management can benefit: Records inventory: A robust records inventory kept by the records management team adds significant value to the privacy progr am because the privacy team can simply take the record list and mark the records that contain personal identifiable information. Records retention: Record managers can work closely with the business and privacy offices to develop the appropriate time of retention so that the company meets the legal retention requirement and also solve conflicts if the privacy office does not agree with the term of retention. Storage: The records management and privacy team can work together to ensure the proper storage of data to ensure security, i ntegrity, reliability and prevent unauthorized access. Transmission: While this is not a requirement for records management, privacy policies require secure transmission of data, w hich will benefit record managers. Disposal: Records management policies should include procedures to dispose of information. Privacy teams can benefit from this as privacy laws require companies to properly dispose personal identifiable information. Governance and operational management: Both privacy programs and records management teams can benefit from each other. For example, the records management team can benefit from the privacy team’s speciality in responding to data loss or breach.
18
Author
Title of Article
Periodical/ website
Choudhury, Amit Roy
New Tech Reshaping Record Keeping
The Business Times (Business Times Singapore)
Vol. / No. / Edition N/A
Year published
Pages
Date accessed
Location, data base, website, link
2011
N/A
May 28, 2011
Factivia
http://global.factiva.com.proxy.lib.uwaterloo.ca/aa/ ?ref=S TB T000020110508e75900009&pp=1&fcpil= en&napc=S&sa_from= Annotation SQL View, a Singapore-based electronic records management company, believes that with the convergence of cloud computing and social networking, there will be greater ease in retrieval and creation of records. The company was recently given a grant by Spring and International Enterprises to continue to develop the company’s “artificial intelligence-based data mining and classification tool”. The product the company is trying to produce is called KRIS Intelligent Filer (KIF), which is a classification software that pushes information to the u ser by extracting patterns from the data. The data would be classified into relevance, longevity, privilege access and security. When a specific user performs a search, only the records that tied to the user’s pre-ordained behaviour classification will be displayed. This means that only deemed relevant records will be pushed to the user, rather than every record that relates to the search. SQL View was the first company to introduce electronic records management in Asia. About half of the government offices’ elec tronic records solutions are powered by this company. For example, the Central Provident Fund in Singapore implemented an e-registry system with the company which enables information to be retrieved quickly and securely SQL View has been an innovative leader in Asia for pro viding record keeping solutions. Author
Title of Article
Periodical/ website
Warner, Diana
Managing and Journal of Health Maintaining Care Compliance Electronic Content May Be Tricky, But Critical
Vol. / No. / Edition N/A
Year published
Pages
Date accessed
Location, data base, website, link
2010
N/A
May 28, 2011
Business Source Complete
Annotation “Enterprise content and records management (ECRM) is a set of strategies, processes, and technologies that are used to manage any and all types of business data and records”. ECRM can help keep track of all sorts of different document or record types. In addition, ECRMs can be valuable by providing the location and use of data/information effectively. For instance, individuals looking for informatio n will be able to timely retrieve that information, and access to the information can be based on each individual’s role. Each ‘role’ can have different levels of access to the information. ECRMs also help meet regulation and organizational requirements for the lifecycle of the records. Componen ts of the records lifecycle include: “The process of creating, editing, capturing or receiving information” Maintaining the records to be easily accessible and retrievable, ie. efficient for indexing, searching, processing, retrievin g and disposal Auditing the records throughout the lifecycle, to ensure amounts balance and processes are being followed properly
19
Disposal of records, where there are proper controls in place Other definitions of record management technology tools aside from ECRMs include: Electronic document management: The electronic management of electronic documents “using computer equipment and software to manage, control, locate, and retrieve information in an electronic system”. Enterprise content management: “The technologies, tools, and methods used to capture, manage, store, preserve and deliver content across an enterprise”. Electronic record management: “The electronic management of digital and analog records contained in an IT system using comput er equipment and software”. This involves the “planning, controlling, directing, organizing, training, promoting and other managerial activities” related to the information lifecycle, including “creation, maintenance and disposition”. Author
Title of Article
Periodical/ website
Department of Defense (USA)
Electronic Records Department of Management Defense (US) Software Applications Design Criteria Standard
Vol. / No. / Edition
Year published
Pages
Date accessed
N/A
2007
Chapter 2: May 29, 2011 Mandatory Requireme nts, pg. 3233
Location, data base, website, link Department of Defense (USA)
http://jitc.fhu.disa.mil/recmgt/p50152stdapr07.pdf Annotation Outlined in this section are general requirement standards for record management applications. In summary: The application should meet these standards with no exceptions to the type of media. Information should be dated properly, and account for leap years. The application should “allow for the implementation of discovery meta-tagging.” The application should be able to still access information from at least the next new version of the application. Documentation of the application should have product information and features of the application. The application should be able to integrate properly with other IT within the organization by providing open standards interfaces. The application should follow proper security standards (Security Technical Implementation Guides).
20
Author
Title of Article
Periodical/ website
Hanks, Keith
Understanding Data Destruction: What the CIO Needs to Know
CIO: security
Vol. / No. / Edition N/A
Year published
Pages
Date accessed
Location, data base, website, link
2007
N/A
May 28, 2011
CIO
http://www.cio.com/article/110553/Understanding_Dat a_Destruction_What_t he_CIO_Needs_t o_Know.?page=1&taxonomyId=3089 Annotation In the US, there are several federal laws regarding disclosure of information: Health Insurance Portability and Accountability Act Gramm-Leach-Bliley Act Federal Information Security Management Act OMB Memo (M06-16) According to IDC, 60% of corporate data remains on unprotected computers (laptops and desktops). Losing a laptop can have the potential to cause many problems to a company. A list of ideas to prevent the data on these laptops to fall into the wrong hands are as fo llows: Encryption: While a good measure for meeting disclosure requirements, encryption has its flaws. If an individual is able to find the encryption key, data will easily be decrypted. Data Destruction: Destroying data provides certainty that the data is irretrievable. With encryption and data destruction, the chances of someone retrieving the destroyed data is close to 0%. In addition, Beachhead Solution’s Lost Data Destruction helps a laptop connected to the internet, to self-destruct, if the laptop is internally marked as being lost/stolen. Backup: In certain circumstances, backing up data may be required, due to compliance with regulations. Author
Title of Article
Periodical/ website
Jepson, Kevin
When Data Destruction is Good
Credit Union Journal: Technology Report
Vol. / No. / Edition N/A
Year published
Pages
Date accessed
Location, data base, website, link
2008
N/A
May 29, 2011
Business Source Complete
Annotation According to Wellsley, Mass.-based Nucleus Research: More than 1/3 of employees in the US record passwords on paper or on a computer document. Many leave laptops unguarded in public areas or unlocked cars. Two laptops went missing at E1 Financial Credit Union. These laptops were using Beachead’s Lost Data Destruction (LDD) solution. After a lost or stolen laptop is reported through the LDD web interface, this solutions provides: The deletion of all associated encryption keys for the laptop. Frequent rebooting of the laptop to frustrate the thief. LDD will also delete associated encryption keys if users do not log onto the host server internet for 3 days or if there were 10 failed login attempts. The following is a diagram that shows how the LDD process works.
21
22
Author
Title of Article
Periodical/ website
Vol. / No. / Edition
Year published
Pages
Date accessed
Location, data base, website, link
Lawhorne, Rick
A Path to Destruction
Keeps You In Control
N/A
2010
N/A
May 29, 2011
Google
http://www.keepsyouincontrol.com/?p=31 Annotation Organizations need to understand the requirements for data destruction, which was mainly developed from/by SOX, HIPAA and ot her regulations. These requirements should be interpreted by a legal or compliance specialist. There are 6 main principles to create a data destruction framework: Define the requirements: Brainstorm with legal, compliance, human resources, audit and business leaders to define the require ments for data destruction. Weigh the costs and benefits of the options: Determine the approach that the organization will take, based on costs and benefits. Set expectations early: Understand the expected capabilities and costs of the data destruction framework after it is implemen ted. Understand the data retention timeline: The timeline should desc ribe how data is classified and the expected life of that data classification. Determine destruction procedures: Ensure that there are procedures and organizational standards on how to destroy the data. Review and renew leadership commitment: Periodic review and renewal of leadership commitments will help strengthen the organization’s awareness of data destruction policies and improve the policies based on changes in the environment. Tillman, Don
On-Site Data Destruction of Magnetic Data Following U.S. Standards
Safenewsletter.co m
N/A
2010
N/A
May 29, 2011
Google
http://www.storagenewsletter.com/news/disk/safe -data-data-destruction-don-tillman Annotation Currently: Companies are uncertain as to what is the best method to destroy data; Data destruction companies are not using proper standards (DoD, NSA, NIST) and instead use alternate data destruction methods that do not follow the proper standards; Many data destruction companies destroy data off-site and data destruction companies risk losing data in the transfer to the off-site location; and Some of these methods of data destruction are not environmentally friendly. The main benefit of using established standards and having data destruction occur on-site is to lower liability of losing data during the transfer to an off-site location, and to have more certainty that the data is actually destroyed. Some of the best practices for data destruction are: Wiping: “In the US, DoD wiping methods are the standard.” Wiping is the process of writing over data. This is usually done 3 or 7 times. Demagnetization: Considered an appropriate method of data destruction under DoD, NSA, NIST and PCI. Obliteration: Noted by the DoD as an appropriate standard. “Process of grinding the magnetic surface off of the hard disk pla tter.”
23
Author
Title of Article
Periodical/ website
Vol. / No. / Edition
Year published
Pages
Date accessed
Location, data base, website, link
Jackson, Joab
NIST Issues Guidelines for Data Removal
Government Computer News
N/A
2006
N/A
May 29, 2011
Google
http://gcn.com/articles/2006/02/06/nist-issues-guidelines-for-data-removal.aspx Annotation According to the National Institute of Standards and Technology (NIST), the method of data destruction chosen should be depen dent on the level of sensitive information on a medium and not dependent on the type of storage media. There are three main ways of disposing data: Clearing: Overwriting data with random data or performing a manufacturer hard reset. Purging: “Generating a magnetic field to neutralize the magnetically encoded information”. Destroying: Melting and incineration, or sanding off the physical recording surface. Author
Title of Article
Periodical/ website
(RCMP)
IT Media Overwrite RCMP and Secure Erase Products
Vol. / No. / Edition
Year published
Pages
Date accessed
Location, data base, website, link
N/A
2009
N/A
May 29, 2011
RCMP
http://www.rcmp-grc.gc.ca/ts-st/pubs/it-ti-sec/b2-002-eng.pdf Annotation In 2005, the RCMP stopped providing technical support and services for its free hard drive overwrite software, as more sophisticated commercial software became available. In 2007, the RCMP, CSEC (Communications Security Establishment of Canada) and PWGSC (Public Worke rs and Government Services Canada) created a program to pre-qualify IT security products. Successful products are listed on a government site. Standard ATA hard drives manufactured starting from 2001 and some enterprise SCSI drives have a feature called Secure Erase e mbedded in its firmware. Secure Erase is considered a reliable method of erasing data. There is no need for additional software to use Secure Erase. Author
Title of Article
Periodical/ website
Lowe, Scott
Five Ways to TechRepublic: Intentionally Servers and Destroy Your Data Storage
Vol. / No. / Edition
Year published
Pages
Date accessed
Location, data base, website, link
N/A
2011
N/A
May 29, 2011
TechRepublic
http://www.techrepublic.com/blog/datacenter/ five-ways-to-intentionally-destroy-your-data/3848 Annotation Five recommended methods of data destruction: 1) Shredding: This include shredding physical hard drives. A shredding company can provide services by either performing the se rvice on the customer’s premise or on its own premise. By performing services on the customer’s premise, the customer avoids any risk of losing 24
data during the transfer of the physical equipment. 2) Degaussing: Refers to removing the magnetic ‘glue’ from the hard drive, rendering it useless. 3) DoD level overwrite: This process just means to overwrite data several times, replacing the old data. 4) Smelting: Changing the physical state to a liquid state is an extreme way to destroy data, but is more effective, as a device in physical form can still be put back together. 5) Encrypting: Not exactly a method of data destruction, but will help prevent data from being seen casually. Author
Title of Article
Periodical/ website
Vol. / No. / Edition
Year published
Pages
Date accessed
Location, data base, website, link
(Government of Canada)
Clearing and Declassifying Electronic Data Storage Devices
Communications Security Establishment of Canada
ITSG-06
2006
Chapter 2: pg. 5-9
May 29, 2011
Communications Security Establishment of Canada
http://www.cse-cst.gc.ca/documents/publications/itsg-csti/itsg06-eng.pdf Annotation Two essential ideas regarding the change of use or disposal of a data storage device: Clearing: Involves erasing the data storage device so that it can be reused in the same security environment or higher. Sanitizing: Involves erasing or destroy the data storage device to have reasonable hope that the risk of compromise is low or non-existent. Some methods of destroying data to avoid the threat of unauthorized access: Encryption: Involves encrypting the whole media device, using approved CSE products. Overwriting: Involves writing over previous data with all 1s or all 0s, on the first overwrite; then, writing the complement of the first overwrite, on the second overwrite; and finally, a random pattern on the third overwrite. Degaussing: Involves using magnetic force to erase data on the magnetic data storage devices. Physical deformation: Involves using tools to cause physical damage, using excessive force, to delay, imp ede, or discourage someone from trying to take data from a device. Shredding and disintegration: Shredding involves destroying devices into small pieces in uniform sizes and shapes; disintegra tion involves destroying devices into small pieces in non-uniform sizes and shapes. Grinding and hammer-milling: Involves mashing into small pieces or fine powder. Incineration: Involves using incinerators to burn the devices. Knurling: Involves applying pressure and heat to devices to curl and lengthen the device, which destroys the optical “pits” and “lands” on the disk (which effectively destroys the data). Currently still under investigation.
25
Author
Title of Article
Periodical/ website
Vol. / No. / Edition
Year published
Pages
Date accessed
Location, data base, website, link
(Government of Canada)
Clearing and Declassifying Electronic Data Storage Devices
Communications Security Establishment of Canada
ITSG-06
2006
Chapter 3: pg. 11-20
May 29, 2011
Communications Security Establishment of Canada
http://www.cse-cst.gc.ca/documents/publications/itsg-csti/itsg06-eng.pdf Annotation Chapter 3 describes the clearing and sanitization methods that are appropriate to each category of electronic data storage de vices. This section also describes which method to use depending on the post-use of the device (ie. re-use of the device within a department, or disposal of the device). Special considerations such as emergency situations and overwriting (including overwriting of PDAs/Blackberrys) are considered. There are three main categories for electronic data storage devices: Magnetic media: ie. hard-disc drives, floppy disks, magnetic tape and magnetic stripe cards Optical media: ie. CDs and DVDs Miniature electronic storage devices and PDAs: ie. USB keys, portable products with semi-conductor storage chips (ex. Blackberrys and PDAs) and miniature glass-disk drives Each of these categories has specific destruction standards for each level of sensitive information and for each method of de struction. There are also guidelines as to what approved products are allowed to be used for the appropriate specific destruction standard. Author
Title of Article
Periodical/ website
Vol. / No. / Edition
Year published
Pages
Date accessed
Location, data base, website, link
Kissel, Richard; Li, Xing; Scholl, Matthew; Skolochenko, Steven
Guidelines for Media Sanitization
National Institute of Standards and Technology
NIST Special Publication 800-88
2006
Chapter 2: pg. 5-9
June 2, 2011
National Institute of Standards and Technology
Annotation Chapter 2 describes the background information of media sanitization. The following are some comments noted from Chapter 2: Proper media sanitization is important to maintain confidential information. There are two types of different media: hard copy and soft copy. ATA disk drives manufactured after 2001 can be cleared by overwriting its data once, which would offer enough protection for laboratory and keyboard attacks. Some emerging data storage technologies: holographic storage and molecular memory There are essentially four categories of sanitization: o Disposal: Discarding media without any sanitization methods. o Clearing: Involves overwriting data. o Purging: Degaussing is a form of purging, which exposes magnetic media to a strong magnetic field. Secure Erase is also
26
-
another form of purging. o Destroying: Includes disintegration, incineration, pulverizing, shredding and melting. Keep in mind the cost vs. benefit of sanitization methods. Consider environmental factors regarding sanitization.
Author
Title of Article
Periodical/ website
Vol. / No. / Edition
Year published
Pages
Date accessed
Location, data base, website, link
Kissel, Richard; Li, Xing; Scholl, Matthew; Skolochenko, Steven
Guidelines for Media Sanitization
National Institute of Standards and Technology
NIST Special Publication 800-88
2006
Chapter 4: pg. 12-15
June 2, 2011
National Institute of Standards and Technology
http://csrc.nist.gov/publications/nistpubs/800-88/NIS TSP 800-88_rev1.pdf Annotation Chapter 4 discusses the decision making with regards to information sanitization and disposition. Below are some key points from chapter 4: The decision made on the method of sanitization is based on the confidentiality of the data, and not the media type. Organizations and people need to be aware of what media type to use, as different types of media can be sanitized in differen t ways. This is largely a business decision and should be made keeping the future in mind. An early decision that needs to be made is if there actually is a need for sanitization. Information should be classified under an appropriate confidentiality category. Media can be reused and recycled. The organization must decide if it chooses to do either or none. Determining who controls the media is important in the decision making process. Two main choices for control are: under orga nization control and not under organization control. After the previously mentioned decisions are made, the organization can make a risk assessment, based on different sanitization methods. After the whole sanitization process is operating, verifying the method is crucial to maintaining proper protection. This ca n be done through sampling the media, and ensuring that the media is sanitized properly. Documentation is important to maintaining records of the sanitization process. The diagram below can help assist an individual or organization in deciding on which sanitization technique to use.
27
28
Author
Title of Article
Periodical/ website
Kissel, Richard; Li, Xing; Scholl, Matthew; Skolochenko, Steven
Guidelines for National Institute Media Sanitization of Standards and Technology
Vol. / No. / Edition
Year published
Pages
Date accessed
Location, data base, website, link
NIST Special Publication 800-88
2006
Chapter 5: pg. 16
June 2, 2011
National Institute of Standards and Technology
http://csrc.nist.gov/publications/nistpubs/800-88/NIS TSP 800-88_rev1.pdf Annotation Before choosing a sanitization technique, organizations should categorize the type of information that they have, understand the type of media that they plan to use, assess the risk of losing confidential information and have a future plan for t hat particular media. Chapter 5 describes a summary of the three most common sanitization techniques: Clearing: Overwriting data with random and non-confidential data. Overwriting can only be completed on media that is rewritable or not damaged. Purging: Degaussing and using Secure Erase are two purging methods. Degaussing involves using magnetic fields to “disrupt the recorded magnetic domains”, which will sanitize the media. Secure Erase is a command that only works on ATA drives. Destroying o Disintegration, pulverization, melting and incineration: Usually this is outsourced to a company that can do one or more of these acts o f destruction. o Shredding: A company can purchase a shredder to accomplish this task, or outsource the work. A paper shredder may b e able to effectively destroy data on flimsy media. Shredding should create small enough pieces so that the media cannot be reconstruc ted. Author
Title of Article
Periodical/ website
Vol. / No. / Edition
Year published
Pages
Date accessed
Location, data base, website, link
Kissel, Richard; Li, Xing; Scholl, Matthew; Skolochenko, Steven
Guidelines for Media Sanitization
National Institute of Standards and Technology
NIST Special Publication 800-88
2006
Appendix A: pg. 1725
June 2, 2011
National Institute of Standards and Technology
http://csrc.nist.gov/publications/nistpubs/800-88/NIS TSP 800-88_rev1.pdf Annotation This section of the NIST Guideline for Media Sanitization is useful after most decisions have been made, as mentioned in chap ter 4. This section of the NIST Guideline for Media Sanitization is called “Minimum Recommendation for Media Containing Data”. It lists specific media types, and suggests procedures or techniques to use for each particular media type. The suggestions are only for the three main methods of sanitization: clearing, purging and destroying. The major categories of specific media types are: hard copy storages, hand-held devices, networking devices, equipment, magnetic disks, magnetic tapes, optical disks, memory, and magnetic cards. Some example of specific media types u nder these categories are: USB removable media, magnetic core memory, flash cards, DRAM, CDs, ATA hard drives, fax machines, and cell phones. 29
30
View more...
Comments
