NIST experts craft data removal handbook

Wonder no longer about how to remove sensitive data from the hard drives and optical disks you are about to toss. The National Institute of Standards and Technology has issued a set of draft guidelines on how to safely remove information from obsolete forms of storage.

Matthew Scholl, Richard Kissel, Steven Skolochenko and Xing Li of the NIST Information Technology Laboratory authored Special Publication 800-88, "Guidelines for Media Sanitization: Recommendations of the National Institute of Standards and Technology," which was sponsored by the Homeland Security Department.

"When storage media are transferred, become obsolete or are no longer usable or required by an information system, it is important to ensure that residual magnetic, optical or electrical representation of data that has been deleted is not easily recoverable," the guidelines stated.

Although the publication summarizes the ways to remove data, it emphasizes that a proper disposal methodology should not be based on the type of storage being disposed, but rather on the confidentiality of the material the medium contains.

The authors conclude that there are three general approaches to excising data from various storage technologies:

Clearing: This approach usually involves overwriting the data with new random data, or in cases of electronic devices, deleting existing information and performing a manufacturer's hard reset (if one exists).

Purging: This approach involves "degaussing" the medium, a procedure that involves generating a magnetic field to neutralize the magnetically encoded information. The report notes that the new Serial ATA hard disk drives have a firmware-based Secure Erase command that can purge information to the same degree of unrecoverability.

Destroying: The form of destruction depends on the type of media being used. Shredding could work for paper, while pulverization, melting and incineration (tasks usually outsourced) would be more appropriate for hard disks or optical disks. Sanding off the physical recording surface is another option.

The report also shows how to apply these approaches to various technologies such as personal digital assistants, routers, copy machines, hard drives and floppy disks.

NIST also urged organizations to establish enterprise governance procedures for erasing material from old technologies.

"Ultimately, the head of the organization is responsible for ensuring that adequate resources are applied to the program and for ensuring program success," the report noted. "Senior management is responsible for ensuring that the resources are allocated to correctly identify types and locations of information and to ensure that resources are allocated to properly sanitize the information."

Joab Jackson is a senior writer for Washington Technology's sister publication, Government Computer News.