Industry Standards

 


   Data Privacy & Data Sanitization


☆ Governing regulations:
     --  Data/Information privacy includes the regulations required for companies to protect data
        * GDPR (General Data Protection Regulation) Since May2018, HIPAA (Health Information Privacy and
           Portability Act), GLBA (Gramm-leach-Bliley Act), CCPA (California Consumer Privacy Act) (1st January 2020)
        * The efficient and effective management of information from inception through disposition is the responsibility
           of all those who have handled the data
☆ Data Sanitization:
    All Organizations handling data are responsible for effectively sanitizing media as the potential is substantial for
    sensitive data to be collected and retained on the media
☆ Data Sanitization Standards:
    NIST 800-88, DoD 5220.22-M ECE, CESG CPA – Higher Level, HMG Infosec Standard 5, Higher Standard 

Why Wipe?
NIST Data sanitization regulatory standard

From NIST standard 800-88 r1 (document embedded in this slide) :
Page 24: It is still possible to recover data from a drilled hole, as the data is still accessible if recovered by advanced laboratory techniques 

Page 32.33 : Overwriting is identified as “Clear” in NIST spec without any risk or concern that the data can be identified / documented again 

Why Wipe?
DoD Data sanitization regulatory standard

From NISPOM DoD (document embedded in this slide) :
This document apply to all government organizations, DoD agencies, organizations, and contractors participating in the administration or performance of DoD SAPs
DoD 3 (3-Pass) 8-5-3: It is mandatary to overwrite three times to clean magnetic disks 

From DoD 5220.22 – M Clearing and Sanitization Matrix (supplement of DOD NISPOM):
Data Eradication Methods: Overwriting all areas (in each rewrite) with a single character is necessary 

DoD Data sanitization regulatory standard

From DoD 5220.22 – M (ECE) [supplement of DOD NISPOM] :
This method is an extended variant of the DoD 5220.22-M. This variant of the DoD Standard uses overwriting of the data for seven runs. Here the data is overwritten two times by using the DoD 5220.22-M (E) standard and one time with random value DoD 5220.22-M (C).

DoD 7 (7-Pass) :
--  Wiping : 

--  Verification : Read and verify entire surface with pseudo random pattern 2

Process Flow

DoD Standard for Media Sanitization (1 Pass/ 3 Pass)

DoD approved specs:

--  NIST SP800-88 Rev1 Guideline for Media Sanitization
--  Certified erasure of all user data
   * All addressable sectors
   * All warehouse areas
--  DoD – 3 Pass (NIST Clear)
   1. Read drive info – begin
   2. Write all (AAh) * (1st write, 1010’s for only 3 pass)
   3. Erase * (Only for 3 pass)
   4. Write all (55h) * (2nd write, 0101’s for only 3 pass)
   5. Write all (00h)
   6. Sample verify
   7. Read drive info – end
   8. Generate certificate file
--  Provided in SRMS proprietary web app

Constraints:

--  HDD must be fully functional and that no HDD repair will be performed
   * May combine with NORS standard Test or Repair Packages
--  Does not support dual-drive HDDs (WD ”Black2” HDDs)
--  Supports 3.5” form factor in native configuration. 2.5” HDDs require            adaptor