Data Sanitization

Threat Management

Protecting data goes beyond the storage and transfer of information. When you no longer need to keep data how do you ensure the it is truly erased?

Before destroying any data make sure that you understand any retention policies that may be associated. Once the information is permanently eradicated, it would cause negative implications it these guidelines were not followed.

Deleting data does not erase the material from the media. Re-imaging overwrites the operating system files, file allocation table but the old data is not really deleted. Only in the case of the operating system needing more space, and overwriting files, that data is actually removed. So this is not a reliable method of deletion. Data sanitization is a purposeful method of permanently deleting or destroying data from its storage device. There are several methods to accomplish this.

Physical destruction is an obvious form of destruction of data. This would involve shredding the media or the use of a degausser. Degaussers expose the device to a magnetic field which erase all data on hard disks. Physical destruction also removes the device from reissue so this may not be the best solution.

Specialized software can be used to erase data on the storage device. This randomly writes 0s and 1s on each sector. It then validates that the process has been completed successfully.

Cryptographic erasure method erases the encryption key of a self-encrypting drive.
The data remains on the media but since the key has been removed it make the encrypted data impossible to decrypt.

Another way to protect data that does not need to be removed is data masking. This involves the replacement of sensitive information with fictitious data. It keeps the data in a usable format while protecting the original values. It cannot be reverse engineered by cyber crooks. Data masking is a required protection standard in many organizations, particularly those in the health care and payment card industry.

As assets reach the end of their useful life, data sanitization is necessary to ensure protection of critical and sensitive data and protect the organization.

Media Sanitation Guidelines