Industry Standards


Data Privacy & Data Sanitization

☆ Governing regulations:
     --  Data/Information privacy includes the regulations required for companies to protect data
        * GDPR (General Data Protection Regulation) Since May2018, HIPAA (Health Information Privacy and
           Portability Act), GLBA (Gramm-leach-Bliley Act), CCPA (California Consumer Privacy Act) (1st January 2020)
        * The efficient and effective management of information from inception through disposition is the responsibility
           of all those who have handled the data
☆ Data Sanitization:
    All Organizations handling data are responsible for effectively sanitizing media as the potential is substantial for
    sensitive data to be collected and retained on the media
☆ Data Sanitization Standards:
    NIST 800-88, DoD 5220.22-M ECE, CESG CPA – Higher Level, HMG Infosec Standard 5, Higher Standard 

Why Wipe?
NIST Data sanitization regulatory standard

From NIST standard 800-88 r1 :
Page 24: It is still possible to recover data from a drilled hole, as the data is still accessible if recovered by advanced laboratory techniques 

Page 32.33 : Overwriting is identified as “Clear” in NIST spec without any risk or concern that the data can be identified / documented again 

Why Wipe?
DoD Data sanitization regulatory standard

This document apply to all government organizations, DoD agencies, organizations, and contractors participating in the administration or performance of DoD SAPs
DoD 3 (3-Pass) 8-5-3: It is mandatary to overwrite three times to clean magnetic disks 

From DoD 5220.22 – M Clearing and Sanitization Matrix (supplement of DOD NISPOM):
Data Eradication Methods: Overwriting all areas (in each rewrite) with a single character is necessary 

DoD Data sanitization regulatory standard

From DoD 5220.22 – M (ECE) [supplement of DOD NISPOM] :
This method is an extended variant of the DoD 5220.22-M. This variant of the DoD Standard uses overwriting of the data for seven runs. Here the data is overwritten two times by using the DoD 5220.22-M (E) standard and one time with random value DoD 5220.22-M (C).

DoD 7 (7-Pass) :
--  Wiping : 

--  Verification : Read and verify entire surface with pseudo random pattern 2

Process Flow

DoD Standard for Media Sanitization (1 Pass/ 3 Pass)

DoD approved specs:

--  NIST SP800-88 Rev1 Guideline for Media Sanitization
--  Certified erasure of all user data
   * All addressable sectors
   * All warehouse areas
--  DoD – 3 Pass (NIST Clear)
   1. Read drive info – begin
   2. Write all (AAh) * (1st write, 1010’s for only 3 pass)
   3. Erase * (Only for 3 pass)
   4. Write all (55h) * (2nd write, 0101’s for only 3 pass)
   5. Write all (00h)
   6. Sample verify
   7. Read drive info – end
   8. Generate certificate file
--  Provided in SRMS proprietary web app


--  HDD must be fully functional and that no HDD repair will be performed
   * May combine with NORS standard Test or Repair Packages
--  Does not support dual-drive HDDs (WD ”Black2” HDDs)
--  Supports 3.5” form factor in native configuration. 2.5” HDDs require            adaptor