It’s a near daily occurrence for most enterprises—a laptop or server becomes obsolete or unusable. But often the most important step is forgotten before a new media is brought in. How do you ensure that the old device is cleansed of all usable traces of important data before it is disposed of?
Many organizations have internal procedures for disposing of technology, and those steps include wiping hard drives of data or restoring a device to its original status before use. But does this alone ensure that no discernible traces of private data are left on the media? Are there ways to absolutely be sure that the organization’s confidential information has been completely and absolutely removed? Or is there a level of data removal that may not be complete, but is acceptable?
According to the Information Technology Laboratory (ITL) and National Institute of Standards and Technology (NIST), cleansing processes may depend on the types of information on the media and the laws and regulations that dictate the privacy and security of such data based on certain types of business. These two organizations have teamed up to write a document that details the importance of media sanitization and the ways that organizations can make decisions about cleaning data from unused media prior to donation or disposal.
The “Guidelines for Media Sanitization” can be found in our IT Downloads area. According to the document, media cleansing may have various levels at which data removal is acceptable, but the decisions must be made based on the data, not the device:
The information security concern regarding information disposal and media sanitization resides not in the media but in the recorded information. The issue of media disposal and sanitization is driven by the information placed intentionally or unintentionally on the media. Electronic media used on a system should be assumed to contain information commensurate with the security categorization of the system’s confidentiality. If not handled properly, release of these media could lead to an occurrence of unauthorized disclosure of information.
The PDF explains why sanitization of media is important and the types of media that can be disposed. In fact, NIST explains that even hard copies of information (paper printouts, printer ribbons, and drums and platens) may be overlooked as containing important, possibly damaging data that could be harmful if in the wrong hands. Most modern media, however, is electronic. It is these types of devices that contain “bits and bytes such as hard drives, random access memory, read-only memory, disks, flash memory, memory devices, phones, mobile computing devices, networking devices, office equipment” and other technologies that can be most difficult to sanitize effectively.
Many jobs and positions within an organization are considered within the document as it explains these roles and the responsibilities they hold within the media sanitization process. Some, such as the CIO, may be charged with creating and disseminating the policy on media sanitization within the enterprise. Privacy and security officers may be responsible for advising the types of data that must be kept secured based on company policy or other regulations.
Other areas covered include:
- Determining security categorization
- Reuse of media
- How to make sanitization and disposal decisions
- How to verify that proper data removal has been performed
CIOs, CTOs and data scientists along with data privacy and security officers will all benefit from the advice and procedures covered in this document. Within every organization, someone must make the decisions on what media can be disposed, what can be restored, and how to cleanse data from electronic devices. All companies, large and small, should have a structured policy on how to approach data sanitization within the organization.