The Ponemon Cost of a Data Breach Report found that in 2021, data breaches cost businesses $4.24 million on average. The investigation found that almost 60% of the over 1,000 chief information officers and security professionals surveyed had experienced a data breach caused by a third-party service provider.
This makes it even more critical to ensure that you have a watertight strategy for the safe handling and sanitization of your business’s data. It’s also business-critical to ensure that your assets are handled by a third party that adheres to a strict set of standards and has a process that ensures confidential information doesn’t reach unintended or inappropriate parties.
Additional challenges to consider regarding data protection include country-specific requirements, economic viability, and your own legal requirements. NIST 800-88 is one of several sets of guidelines for the sanitization of data-bearing technology assets.
- What is media sanitization?
- What is NIST?
- What is NIST 800-88?
- What is meant by Clear, Purge, and Destroy?
- NIST 800-88 revision
What is media sanitization?
Businesses generate vast amounts of data, including personal and sensitive data, standard business data (phone lists, marketing information, supplier data, etc.), confidential business data (business reports, financial and accounting documents, balance sheets, and annual financial statements), top secret business data (research and development of business enterprises), and banking information.
NIST defines media sanitization as “a process that renders access to target data on the media infeasible for a given level of effort.” To inform the destruction technique used to achieve the required level of sanitization, NIST workflows consider the confidentiality of the data being handled and not just the medium type.
This entails the following considerations:
- What will the media be used for in the future?
For example, a shredded device would be rendered unusable, while a program using Clear or Purge would make this medium available for future use.
- How confidential is the data?
- What storage medium is being used to store the data?
"The information security concern regarding information disposal & media sanitization resides not in the media but in the recorded information. The issue of media disposal & sanitization is driven by the information placed intentionally or unintentionally on the media. If not handled properly, release of these media could lead to an occurrence of unauthorized disclosure."
(NIST SP 800-88 Revision 1)
What is NIST?
The National Institute of Standards and Technology (NIST) is a physical science laboratory and a nonregulatory agency of the United States Department of Commerce. Founded in 1901, it has a long history of developing measurements, metrics, and standards that can be applied to the science and technology industries. This makes NIST the ideal institution for offering guidance on how organizations and their employees can properly handle confidential data stored on electronic devices.
What is NIST 800-88?
NIST 800-88, also called NIST Special Publication 800-88 (NIST SP 800-88), Guidelines for Media Sanitization, is a U.S. government document providing robust methodological guidance for erasing data from storage media (media sanitization). Its objective is to ensure that any data found on storage media is irretrievable.
Originally established for government use, NIST 800-88 is now widely adopted and recognized by governments and corporations alike as the best-in-class method for ensuring effective media sanitization.
The NIST guidelines cover all types of storage media, including magnetic, flash-based, and other technologies, using the media sanitization techniques of Clear, Purge, and Destroy.
Department of Defense (DoD) 5220.22
Prior to the publication of the NIST 800-88 guidelines, organizations typically used the U.S. Department of Defense (DoD) 5220m standard. This standard was originally created for the military and was later adopted by the public sector. Although it was considered a benchmark for many years and is still occasionally used worldwide, this standard has now been succeeded by NIST 800-88, as it was not designed to erase data from chip-based storage media like solid-state drives (SSDs), which are now so common.
What is meant by Clear, Purge, and Destroy?
In its guidelines, NIST uses the terms “Clear,” “Purge,” and “Destroy” to refer to various methods for erasing end-of-life data from storage devices.
Clear applies standard read/write commands, techniques, and tools, to overwrite data found in all user-accessible storage locations. It overwrites data with nonsensitive data (binary 1s and 0s) on media such as Advanced Technology Attachment (ATA) hard drives and SSDs.
- Security level: Official
- Level of data protection: Moderate, protecting against simple, noninvasive data recovery techniques
- Can be used for: Floppy disks, disk drives, ATA hard drives, SCSI drives, flash media (USB sticks, memory cards, SSDs)
- Pros: The storage media can be reused, reducing e-waste, and most devices support some level of Clear sanitization.
- Cons: It does not address data found in hidden or inaccessible areas.
- Sustainability: Favorable outcomes, as assets can be reused (internally or externally, depending on the classification level of the overwritten data).
Purge refers to a physical or logical technique (while Clear only uses logical techniques) that renders target data recovery infeasible using state-of-the-art laboratory overwrite, block erase, and cryptographic erase methods. It provides a higher level of media sanitization than Clear and is thus used when handling more confidential data.
- Security level: Secret
- Level of data protection: Higher than Clear
- Can be used for: Floppy disks, hard disk drives (ATA, SCSI), flash media (USB sticks, memory cards, SSDs)
- Pros: The storage media can be reused, reducing e-waste.
- Sustainability: Favorable outcomes, as assets can be reused, extending their lifespan.
Destroy renders target data recovery infeasible using physical destruction techniques, such as shredding, smelting, pulverizing, and incinerating.
- Security level: Destroy
- Level of data protection: Higher than Clear and Purge
- Can be used for: Floppy disks, hard disk drives (ATA, SCSI), optical disks, flash media (USB sticks, memory cards, SSDs)
- Pros: It can be used when a medium is beyond overwriting methods due to its physical condition or when it contains highly confidential data.
- Cons: The media cannot be reused, and destroying them does not reduce their lifespan but ends their life, contributing to e-waste.
- Sustainability: Less favorable outcomes, as the assets cannot be reused/resold. However, through clean tech recycling, materials can still be recovered.
Your media sanitization partner can advise on the best route to ensure effective sanitization.
NIST 800-88 revision
The NIST 800-88 guidelines were originally published in 2006. The December 2014 revision produced the most recent guidelines: NIST Special Publication 800-88 Revision 1 (NIST SP 800-88 Rev. 1).
Why were the guidelines updated?
The NIST 800-88 guidelines were updated mostly due to technological advances that moved the needle on proper media sanitization across evolving storage devices. For example, degaussing can be an effective way to destroy or purge hard disk drives, floppy disks, and magnetic tapes but not flash-based storage devices, such as SSDs.
To paraphrase the “Background” section of the NIST guidelines, the acquisition of improperly sanitized electronic media provides a rich illicit source of information.
Organizations need to be confident that when media are handed over to a third party, they do not jeopardize data privacy, security, or regulatory compliance. Getting it wrong is not only financially costly but also harmful to your brand’s most important asset: its reputation.
TES helps organizations by performing media sanitization, no matter where the assets are located. TES has been recognized by Gartner as the largest global ITAD vendor in the world, allowing us to deliver this service at unmatched levels of consistency. We are also uniquely positioned to offer a full suite of services encompassing the entire lifecycle of technology assets, including managed deployment, IT asset disposition, and e-waste recycling. These services are delivered through our own infrastructure and operated by our own staff, offering a secure chain of custody and peace of mind for our clients.