Organizations Need Proper Procedures for Data Cleansing of Old Media

Kim Mays

It’s a near daily occurrence for most enterprises—a laptop or server becomes obsolete or unusable. But often the most important step is forgotten before a new media is brought in. How do you ensure that the old device is cleansed of all usable traces of important data before it is disposed of?

Many organizations have internal procedures for disposing of technology, and those steps include wiping hard drives of data or restoring a device to its original status before use. But does this alone ensure that no discernible traces of private data are left on the media? Are there ways to absolutely be sure that the organization’s confidential information has been completely and absolutely removed? Or is there a level of data removal that may not be complete, but is acceptable?


According to the Information Technology Laboratory (ITL) and National Institute of Standards and Technology (NIST), cleansing processes may depend on the types of information on the media and the laws and regulations that dictate the privacy and security of such data based on certain types of business. These two organizations have teamed up to write a document that details the importance of media sanitization and the ways that organizations can make decisions about cleaning data from unused media prior to donation or disposal.

The “Guidelines for Media Sanitization” can be found in our IT Downloads area. According to the document, media cleansing may have various levels at which data removal is acceptable, but the decisions must be made based on the data, not the device:

The information security concern regarding information disposal and media sanitization resides not in the media but in the recorded information. The issue of media disposal and sanitization is driven by the information placed intentionally or unintentionally on the media. Electronic media used on a system should be assumed to contain information commensurate with the security categorization of the system’s confidentiality. If not handled properly, release of these media could lead to an occurrence of unauthorized disclosure of information.

The PDF explains why sanitization of media is important and the types of media that can be disposed. In fact, NIST explains that even hard copies of information (paper printouts, printer ribbons, and drums and platens) may be overlooked as containing important, possibly damaging data that could be harmful if in the wrong hands. Most modern media, however, is electronic. It is these types of devices that contain “bits and bytes such as hard drives, random access memory, read-only memory, disks, flash memory, memory devices, phones, mobile computing devices, networking devices, office equipment” and other technologies that can be most difficult to sanitize effectively.

Data Devices

Many jobs and positions within an organization are considered within the document as it explains these roles and the responsibilities they hold within the media sanitization process. Some, such as the CIO, may be charged with creating and disseminating the policy on media sanitization within the enterprise. Privacy and security officers may be responsible for advising the types of data that must be kept secured based on company policy or other regulations.

Other areas covered include:

  • Determining security categorization
  • Reuse of media
  • How to make sanitization and disposal decisions
  • How to verify that proper data removal has been performed

CIOs, CTOs and data scientists along with data privacy and security officers will all benefit from the advice and procedures covered in this document. Within every organization, someone must make the decisions on what media can be disposed, what can be restored, and how to cleanse data from electronic devices. All companies, large and small, should have a structured policy on how to approach data sanitization within the organization.

Kim Mays has been editing and writing about IT since 1999. She currently tackles the topics of small to midsize business technology and introducing new tools for IT. Follow Kim on Google+ or Twitter.



Add Comment      Leave a comment on this blog post
Jul 15, 2015 10:54 AM Oscar Tong Oscar Tong  says:
This entire blog brings back memories of a news story that I viewed at one point. It involved a group of students heading to Africa to check old computer parts that were shipped there. On a hard drive that was simply being sold by a street vendor, they found top secret U.S. government budget files. That's why I feel that you should always make sure the data is removed in its entirety. Reply
Jul 15, 2016 9:40 AM Linda Boudreau Linda Boudreau  says:
Great post, thanks for sharing. Because of the rising importance of data-driven decision making, having a strong data governance team is an important part of the equation (as in the situation you mention in your blog), and will be one of the key factors in changing the future of business. There is so much great work being done with data cleansing tools in various industries such as financial services and health care. It will be interesting to see the impact of these changes down the road. Linda Boudreau http://DataLadder.com  Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.