1.0 TITLE: Enterprise Media Sanitization and Disposal Policy
1.1 EFFECTIVE DATE: January 22, 2009
1.2 TYPE OF ACTION: New
1.3 KEY WORDS: Equipment Disposal, Equipment Resale, Equipment Surplus, Media Sanitization, Media Disposal, Media Destruction
2.0 PURPOSE: To define the requirements related to the sanitization of data from media before disposal or reuse.
3.0 ORGANIZATIONS AFFECTED: All branches, boards, commissions, departments, divisions, and agencies of Kansas state government, hereafter referred to as Entities.
4.1 ITEC Policy 7230R1 - Default Enterprise Security Policy
4.2 ITEC Policy 7230A - Default Security Requirements
4.3 ITEC Policy 7310 - IT Security Self assessment
4.4 Federal Information Security Management Act (FISMA) of 2002
4.5 Federal Information Processing Standards (FIPS) PUB 199 - Standards for Security
4.6 Internal Revenue Service Publication 1075 - Tax Information Security Guidelines for Federal, State, and Local Agencies and Entities
4.7 National Institute of Standards and Technology (NIST) Special Publication 800-14, Generally Accepted Principles and Practices for Security Information Technology
4.8 NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems
4.9 NIST Special Publication 800-88, Guidelines for Media Sanitization
5.0 DEFINITIONS: (N.B. all definitions are taken from NIST 800-88 unless otherwise noted)
5.1 Media, which is the plural of medium, is defined as “Material on which data are or may be recorded, such as paper, punched cards, magnetic tape, magnetic disks, solid state devices, or optical discs.”
5.2 Hard Copy media is defined as “physical representations of information. Paper printouts, printer, and facsimile ribbons, drums, and platens are all examples of hard copy media. These types of media are often the most uncontrolled. Information tossed into the recycle bins and trash containers exposes a significant vulnerability to “dumpster divers”, and overcurious employees, risking accidental disclosures.”
5.3 Electronic, or soft copy, media is defined as the bits and bytes contained in hard drives, random access memory (RAM), read-only memory (ROM), disks, memory devices, phones, mobile computing devices, networking equipment, copiers, fax machines and printers.
5.4 Media sanitization is defined as the removal of information from a storage medium. Different kinds of sanitization provide different levels of protection (NIST 800-14) “Media sanitization is a general term referring to the actions taken to render data written on media unrecoverable by both ordinary and extraordinary means”. “Media sanitization is one key element in assuring confidentiality.” Media sanitization is divided “into four categories: disposal, clearing, purging, and destroying.”(NIST 800-88)
5.5 Disposal is defined as the act of discarding media with no other sanitization considerations. This is most often done by paper recycling containing non-confidential information but may also include other media.
5.6 Clearing is defined as using software or hardware products to overwrite storage space on the media with non-sensitive data. The process may include overwriting not only the logical storage location of the file(s) (e.g., file allocation table) but may also include all addressable locations.
5.7 Purging is defined as a media sanitization process that protects the confidentiality of information against a laboratory attack. For some media, clearing media would not suffice for purging. However, for ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged.
A laboratory attack would involve a threat with the resources and knowledge to use nonstandard systems to conduct data recovery attempts on media outside their normal operating environment. This type of attack involves using signal processing equipment and specially trained personnel.
Executing the firmware Secure Erase command (for ATA drives only) and degaussing are examples of acceptable methods for purging. Degaussing of any hard drive assembly usually destroys the drive as the firmware that manages the device is also destroyed.” Another acceptable method is by overwriting data on the hard drives. The overwriting process should use at a minimum 3 passes.
5.8 Degaussing, also called demagnetizing, is defined as reducing the magnetic flux to virtual zero by applying a reverse magnetizing field. Degaussing any current generation hard disk (including but not limited to IDE, EIDE, ATA, SCSI and Jaz) will render the drive permanently unusable since these drives store track location information on the hard drive in dedicated regions of the drive in between the data sectors.
5.9 Destroying is defined as the ultimate form of sanitization. After media are destroyed, they cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting. If destruction is decided upon due to the high security categorization of the information or due to environmental factors, any residual medium should be able to withstand a laboratory attack.
Disintegration, Incineration, Pulverization, and Melting - These sanitization methods are designed to completely destroy the media. They are typically carried out at an outsourced metal destruction or incineration facility with the specific capabilities to perform these activities effectively, securely, and safely.
Shredding - Paper shredders can be used to destroy flexible media such as diskettes once the media are physically removed from their outer containers.
5.10 Personally Identifiable Information (PII) includes, but is not limited to, name, address, phone number or email address in c connection with an individual’s Social Security Number.
6.1 All entities shall establish policies and procedures for the sanitization of all media including hard copy and electronic (or soft copy). Kansas Board of Regents should use the guidelines contained in NIST Special Publication 800-88 or an approved established industry best practice for higher education technical environments or institutions.
6.2 When media contains Federal Tax Information, all entities shall establish media sanitization policies and procedures in accordance with IRS Pub 1075.
6.3 When media contains data classified under HIPAA as confidential, all entities shall establish sanitization policies and procedures in accordance with HIPAA Regulation Part 164.310(d),1 & 2.
6.4 When media contains data relating to personally identifiable information, all agencies shall establish sanitization policies and procedures as described in NIST 800-88.
6.5 When writing agency policy, consideration should be given to specific Federal, State or local requirements.
7.1 Please refer to FIPS 199 for guidance in establishing the security classification of the information on the media.
7.2 Once the security classification is complete, a key decision on sanitization is whether the media are planned for reuse or recycle. If media are not intended for reuse either within or outside an entity, the simplest and most cost effective method of control may be destruction.
7.3 Once an entity has determined the types of media and the media disposition (see NIST 800-88 Appendix A. Minimum Sanitization Recommendation for Media Containing Data) , the entity must maintain a record of what media were sanitized, when, how they were sanitized, and the final disposition of the media. The record of action taken should be maintained in a written electronic format for a duration which is to be determined by the entity. An example of a Sanitization Validation Form, as amended, is included as Attachment A to this Policy
7.4 The following is a list of resources for devices approved by the National Security Agency (NSA):
http://www.nsa.gov/ia/_files/government/MDG/NSA_CSS-EPL-02-01.pdf- NSA/CSS Evaluated Products List (EPL) for High Security Crosscut paper Shredders, Annex A to NSA/CSS 02-01, version M, dated: July 2008.
http://www.nsa.gov/ia/_files/government/MDG/NSA_CSS-EPL-02-02.pdf - NSA Evaluated High-Security Disintegrators, Annex A to NSA/CSS 02-02, version F, dated: October 2007.
http://www.nsa.gov/ia/_files/government/MDG/NSA_CSS-EPL-04-02.pdf - Optical Media Destruction Devices, Annex A to NSA/CSS 04-02, version B, dated: May 2008.
http://www.nsa.gov/ia/_files/government/MDG/NSA_CSS-EPL-9-12.pdf - Degaussers Approved Products List - Annex A to NSA/CSS Manual 130-2, version B, dated: December 2007.
7.5 The Chief Information Security Officer, through the Enterprise Security Office, will periodically make a judgmental sample of machines sanitized by entities to ensure quality of compliance with this policy.
8.1 Heads of entities are responsible for establishing procedures for their organizations to comply with the requirements of this policy.
8.2 The Chief Information Technology Officer, Executive Branch is responsible for the maintenance of this policy.
9.0 CANCELLATION: None