For the modern business leader, it's important to know exactly where their organisation's confidential information is being stored - especially when crucial company data is involved. As a CISO/CEO, you are as responsible for securing valuable info and safely storing it away as in making sure that your other measures of security stay up-to-date. With technology becoming increasingly portable the risk of lost data is increased. In this article, we'll explore some of the secure destruction techniques you can use to properly protect your companies important information
An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information. —NIST 800-88, Rev.1, “Background”
When storing important information on media, such as USB Drives, Hard Drives or Solid State Devices - secure destruction is essential. Proper sanitation of these devices before they are discarded should be taken to ensure your data remains safe and protected.
Hard Drives - Organisations looking to securely dispose of data stored on hard disks drives should consider a range of methods depending on the desired outcomes. Clearing can remove sensitive information from devices too be reused inside an organization, while digital shredding or wiping overwrites existing content with new characters like 1 and 0 for maximum protection. Degaussing uses magnetic fields to alter storage structures which renders them unusable, although ultimate security may require physical destruction techniques such as crushing or incineration for complete assurance against recovery attempts.
Solid State Drives - Keep your data safe and secure with the right strategies for SSD disposal. For internal reuse, use built-in sanitization commands to render information inaccessible. To ensure that device data can never be recovered again, opt for physical destruction. Note: when outsourcing these services to third parties, select a provider who meets applicable standards related to successful and reliable data destruction processes
Each type of device requires different techniques to be applied.
When it comes to securely destructing data or securely disposing of data on hard disk drives (HDDs), or the physical location where the data is stored, consider using the following methods:
1. Clearing: Clearing removes data in such a way that prevents an end-user from easily recovering it. This method is suitable for reusing devices inside your organization.
2. Digital Shredding or Wiping: This method does not alter the physical asset. Instead, it overwrites data with other characters like 1 or 0 and random characters with multiple passes (e.g. DoD 5220.22-M algorithm).
3. Degaussing: Degaussing uses a strong magnetic field to rearrange the structure of the HDD. Once the HDD is degaussed, it can no longer be used.
4. Physical Destruction: This method ensures the secure disposal and destruction of HDDs as they are hydraulically crushed or mechanically shredded, so that data can never be retrieved or reconstructed.
For secure data destruction and secure data disposal of data found on solid state drives (SSDs), or the virtual location the data is stored, consider using the following methods:
1. Built-In Sanitization Commands: This method is effective if the device is to be reused within the organization.
2. Physical Destruction or Encryption: Using this method is the only true way to ensure device data cannot be recovered.
To outsource this service to a third-party use a reputable provide who meets the standards required to destroy the type of information you require to be securely destroyed.
For further help on selecting a third party provider have a look at provider certifications on the i-SIGMA website.
i-SIGMA offers free ongoing service provider monitoring of vendors handling regulated, sensitive information.
The International Secure Information Governance & Management AssociationTM (i-SIGMA®) is the industry trade association for secure data destruction and records & information management service providers. i-SIGMA enforces standards and ethical compliance for approximately 2,500 service providers on six continents and currently maintains the most rigorous and widely accepted data-security vendor-compliance certifications, NAID AAA Certification® and PRISM Privacy+ Certification®, with hundreds of governments and thousands of private contracts using the programs to meet their regulatory due diligence requirements
For further information about secure destruction standards and advice refer to the Australian Governments Media Guideline.