As businesses begin to incorporate more technology into their environments, companies will also learn that these technologies do not last forever. When storage mediums such as tape or hard-drives need replacing, businesses will copy and move the data to a newer drive. Once copied, many individuals think that merely erasing the storage medium will remove all the data. Erased devices still contain sensitive data, even if you cannot see it on a computer. Services and programs exist where individuals can recover data from various storage devices. With media sanitization, not only are the devices wiped but are left unusable afterward. Depending on how data is stored, multiple methods can ensure that no data is recoverable.
The integration of data collection and analysis tools into modern manufacturing environments has revolutionized how companies operate, while also creating new cybersecurity challenges. While manufacturers rarely gather personal information, their systems and devices capture, process, and store information using various inputs and media. This data is located not only on designated storage media, but also within devices used to create, process, and transmit this information.
These systems and devices filled with sensitive data that may be valuable to cyber criminals. This risk is forcing manufacturers to implement media protection policies to mitigate the risk of unauthorized information disclosure, maintain confidentiality, and ensure production equipment isolation from other forms of exploitation.
Media Protection Policies
When protecting active confidential or sensitive data, businesses can create Media Protection policies. These policies generally cover how to use, store, and transmit data in a way that maintains confidentiality and integrity during authorized use. However, when a device is retired or removed from the network, businesses should practice information sanitization. In this situation, many companies use the NIST 800 80 guidelines for media sanitization to further protect confidential data.
The principles found in the NIST sp 800 80 revision 1 guidelines assist in properly safeguarding all confidential data from incidental disclosure. While many would think that merely erasing a hard drive would be enough to protect their sensitive data. Experienced cyber criminals can still recover sensitive data from hard-drives with relative ease. When systems, devices, and storage media become obsolete, it is important to ensure that residual magnetic, optical, electrical, or other data that has been deleted is not easily recoverable.
Media Protection security principles are established in NIST SP 800-53. Security controls related to media protection include media: i) policies and procedures, ii) access, iii) marking, iv) storage, v) transport, vi) sanitization, vii) use, and viii) downgrading. (SP 800-53, Appendix F-MP).
Why is media sanitization necessary?
What is NIST 800-88?
NIST SP 800-88 Revision 1 provides guidance to assist organizations and system owners in making practical sanitization decisions based on the categorization of confidentiality of their information.
What is media sanitization?
Media sanitization refers to a process that renders access to target data on the media infeasible for a given level of effort. Information disposition and sanitization decisions occur throughout the information system life cycle.
What is data destruction?
The process of destroying data that is stored on your hard drives, tapes and other electronic media, in a manner that the data is no longer readable. This prevents unauthorized users from accessing your sensitive information after a piece of hardware has been repurposed or decommissioned. While simply deleting the data will make it inaccessible to your operating system, a skilled hacker would be able to easily retrieve the information unless more drastic measures are taken.
Clear Data Destruction Recommendations
We can help you improve your media protection policies by offering clear data destruction recommendations that are efficient and cost-effective. Information disposal, media disposal, storage security, purge, and media sanitization all relate to media protection decisions. Our cybersecurity specialists understand data security and will work with you to create a program that can ensure your storage devices are properly managed throughout their operational lifespan.
Selecting the right data destruction method.
When an IT asset is on the verge of retirement, it’s essential to consider how your information security team will deal with the stored data. If your company relies on a third-party cybersecurity service provider, it’s necessary to verify the exact data destruction processes.
A lack of visibility can leave your business open to potential risks, including data theft and credential exploitation. At Certitude Security®, we work alongside your internal or external IT team to evaluate the data destruction measures in use and provide comprehensive guidance to maintain your information security. Some of the data sanitization measures we advocate for include:
Media Sanitization Software
This method of data sanitization erases all available data, then fills the entire medium with random data. Writing fake data prevents malicious users from accessing or recovering previously stored data on any device. Media sanitization software offers manufacturers the ability to sanitize their devices on-site.
Degaussing is a specialized method of media sanitization, as this method alters the magnetic field of certain storage mediums. This method of media sanitization is most effective on hard-disk drives and tape drives. The benefit of this approach is that it allows you to reuse tapes that do not have prewritten tracks. Degaussing is also considered the most cost-effective option.
Sometimes the most straightforward solutions are the most primitive ones. Physical destruction is, of course, the destruction of both the device and storage mediums. This method can include shredding storage tapes and crushing hard-drives. In some cases, businesses will perform multiple rounds of physical destruction.
Improving your media and data protection strategies.
End-to-end data protection is essential to manufacturers of all sizes, which is why it’s critical to choose a data destruction company that aligns with your company’s operational scope and business objectives. Narrowing down your options can be a challenge, as every company has different standards, costs, and disposal methods. Ensuring that the data stored on your equipment is appropriately wiped or destroyed is crucial, so be sure to verify the credibility of your service provider and ask for a certificate of destruction for each device you send out.
We continue to observe manufacturers who overlook the general process of removing data from storage media, in a manner consistent that there is reasonable assurance that the data may not be easily retrieved and reconstructed.
We have years of experience with media protection and data destruction, which enables us to locate comprehensive solutions that match your unique needs. We help our clients maintain strong information security by ensuring data destruction companies and external IT teams uphold best practices that will protect your data in the long term.
Data-bearing devices are sanitized and verified to NIST SP 800-88 R1 requirements per NIST SP 800-53 CSF
Meets the NIST 800-88 federal guidelines for media sanitization