BitRaser >
Article >
ADISA ICT Asset Recovery Certification: Data Sanitisation Requirements

BITRASER^®

ADISA ICT Asset Recovery Certification: Data Sanitisation Requirements

Written By

Kanika Verma linkdin

Published On

Dec 30, 2024

Category

Data Destruction

Min Reading

3 Min

Summary: ADISA ICT Asset Recovery Standard lays down essential and desirable data sanitisation requirements for ITAD companies to achieve certification. Key components w.r.t. data sanitisation are listed in Modules 3 and 4 of Section 3, Part 2, that include secure processing facility reporting, detailed audit reports, and robust chain of custody documentation. Data sanitisation methods cover software overwriting, shredding, and degaussing, among others, that ITADs can utilise to handle asset recovery and remain compliant with ADISA’s stringent requirements of quality control and verification. The standard also requires ITADs to provide reference numbers and certificates of destruction. This article will explore the ADISA compliance requirements w.r.t. data sanitisation.

Asset Disposal and Information Security Alliance (ADISA) has developed the ICT Recovery Standard for ensuring the secure handling of IT assets by ITAD companies. Data sanitization is a critical aspect of the standard and is explained in Module 4 of Section 3. ADISA defines the crucial controls and the criteria that an applicant ITAD company needs to adhere to in order to get ADISA ICT recovery certification.

Part 2, Criteria of the ICT Asset Recovery Standard, goes in depth about essential requirements and the process of becoming an ADISA-certified ITAD company. Under Part 2, Modules 3 and 4 of Section 3 elaborate on Processing Facility Capability Reporting and Data Sanitisation criteria. The significant components include:

Module 3, Section 3, Processing Facility Capability – Reporting focuses on ensuring the ITAD service provider maintains a facility that is equipped with security measures and operational practices to process and wipe IT assets. The provider must possess a robust infrastructure to handle the asset recovery process. It is essential for the ITAD companies to provide:
- Detailed audit reports with information on make, models, serial numbers of devices, and proof of end-point sanitisation, to the customer. An inventory of IT assets and the means of sanitisation should be included in the details on end-point sanitisation. (Section 3.3.58)
- Document copies pertaining to the chain of custody and transfer from collection to delivery. ITAD company must establish systems to monitor and track the movement and status of the assets. (Section 3.3.59)
- Certificates of destruction and other waste compliance reports. (Section 3.3.60)

The above forms a part of the essential criteria for ITAD companies to comply with. However, below is a part of the highly desirable for an ITAD as per ADISA for getting certified:

Provide detailed audit reports, including serial numbers of disk drives and software overwriting reports or reference numbers. (in the absence of written specifications by a customer) (Section 3.3.61)

Module 4, Section 3 – Data Sanitisation explains the tools and methods for data sanitisation. It provides criteria for the functioning of sanitisation tools for software overwriting, shredding, degaussing, quality control, and verification, is assessed. For businesses applying for ADISA certification, it is essential to:
- Have all the sanitisation tools meet the sanitisation requirements decided by ADISA, and get them identified, verified, and published by ADISA in their Data Capability Statement. (Section 3.4.1) Read more about the Data Capability Statement in ICT Asset Recovery Standard 8.0 by ADISA for ITADs.
- Have each IT asset containing data undergo a data sanitisation process irrespective of getting assurance of data destruction by the customer. (Section 3.4.2)
- Have failed IT assets removed from the parent device, tracked with a Unique Identifier (UID), followed by a physical destruction process carried out at the premises of the applicant within a controlled environment that is documented throughout. (Section 3.4.3)
- Get confirmation regarding the reuse or destruction process post sanitisation, from the data controller. (Section 3.4.4)

Software Overwriting refers to writing strings of data over media to render the existing data irrecoverable. The frequency and pattern of overwriting will depend on the standard. This segment explains the criteria used to assess sanitisation tools in an ITAD facility. It is essential that:

Software tools are configured in a documented and known configuration, and get checked on a monthly basis, which should be documented by people not involved in the use of the software. The following controls should be included in the configuration (Section 3.4.5)
- Identification of HPA and DCO.
- Tolerance for remapped sectors.
- Options for controlling verification.
- Options for dealing with specific overwriting algorithms.
- Options for determining the frequency of overwriting.
- Documented means of checking for and receiving updates from software vendors.

Shredding involves presenting media to a specialist machine that has blades/teeth and screens with an aperture of an approved shred size. It is essential that:

Shredders are to be manufactured for use on the media, have a user training programme, and a maintenance schedule that includes periodic assessment of screen aperture. (Section 3.4.6)
An independent verification of the maximum shred size of the particle has been performed on all the shredding machines. (Section 3.4.7)
After each usage period, feeds or hoppers of the shredders are checked to ensure all the media has been shredded. Especially in the case of SSDs or flash memory-based media, it must be ensured that there are no intact NAND cells in the hoppers/feeds or the shred particulate. (Section 3.4.8)

In degaussing, a magnetic field is emitted to remove all the magnetic properties from the coating on the magnetic tapes or hard disk drives. The criteria for this sanitisation require it to be essential:

Degaussers have a user training programme that includes a process for the removal of steel shielding material except for hard disk assembly, which should be removed before degaussing, and a maintenance schedule. They should be calibrated, and in the absence of a specific written instruction by a customer, only NSA-approved degaussers should be used. It is to be noted that the use of degaussers is not approved by the National Cyber Security Centre (NCSC), and for product approvals, it defers to the National Security Agency (NSA). (Section 3.4.9)

Other physical destruction methods have the objective of making the media non-functional. It is essential that:

Destruction methods such as crushing, folding, or other physical destruction methods meet the minimum requirements set by the ADISA Data Capability Requirements. (Section 3.4.10)

It is essential for the applicant to conduct a Quality Control/Verification Check to ensure the sanitisation of the media has been successful. One example of QC could be using a HexViewer to confirm sanitisation. BitRaser Drive Verifier assesses if the target data has been completely sanitised or not to check the effectiveness of the data eraser. The detailed reports serve as evidence of a successful or failed data sanitisation.

To verify successful shredding, the NSA list can be referred to. Other data sanitisation techniques can comply according to the risk criteria: DIAL Level 1, 2, and 3. (Sections 3.4.11 - 3.4.13)

Conclusion

Getting certified with the ADISA ICT Asset Recovery Standard provides a sense of confidence to customers that the processing activities conducted by the ITAD companies are compliant. To perform sanitisation methods such as shredding, degaussing, and software overwriting on storage media, companies have to fulfill at least the minimum requirements set by ADISA. ITADs looking to get certified with ADISA can choose BitRaser Drive Eraser that wipes data permanently from drives, including HPA and DCO, and automatically generates detailed reports and certificates of destruction that help in audits. Further, BitRaser Mobile Eraser helps in wiping data from iOS and Android-based devices. ITADs can also take advantage of the BitRaser Hardware Diagnostics tool to obtain help with hardware components.

Was this article helpful?

FAQs

Which section of the ADISA ICT Asset Recovery Standard explains the data sanitization methods?

Module 4 of Section 3 – Data Sanitisation explains the criteria based on which the functioning of sanitisation tools for software overwriting, shredding, degaussing, quality control, and verification are assessed.

What happens to failed IT assets under ADISA requirements?

Failed IT assets should be removed from the parent device and tracked with a Unique Identifier (UID), followed by a physical destruction process carried out at the premises of the applicant within a controlled environment that is documented throughout.

What is highly desirable for an applicant service provider to report on?

It is highly desirable for the applicant service provider to provide detailed audit reports, including serial numbers of disk drives and software overwriting reports or reference numbers.

What are ADISA's recommended data sanitisation methods?

Shredding, degaussing, software overwriting, crushing, folding, and other physical destruction methods meet the minimum requirements set by the ADISA Data Capability Requirements.

How is it ensured that the sanitisation process has been successful?

It is essential for the applicant service provider to conduct a Quality Control/Verification Check to ensure the sanitisation of the media has been successful. One example of QC could be using a HexViewer to confirm sanitisation. To verify successful shredding, the NSA list can be referred to. Other data sanitisation techniques can comply according to the risk criteria: DIAL Level 1, 2, and 3.