The
previous chapter outlined the building blocks of data destruction policy, focusing on “what
all” components your organization needs to consider when drafting a data
destruction policy. Among these components, effective execution of data
destruction procedures is crucial to protect data privacy and attain compliance.
In other words, organizations can achieve favorable outcomes by following globally
accepted standards for data destruction.
Also, data
destruction standards have gained prominence across different industries and
sectors such as banking, financial services and insurance, healthcare, defense,
e-commerce, etc. They can help organizations attain compliance with sectoral
regulations and data security standards outlined as follows:
1.Banking & Finance Industry
There are standards and regulations such as Payment Card Industry Data Security Standard (PCIDSS), Fair and Accurate Credit Transaction Act (FACTA) Disposal Rule, Bank Secrecy Act, Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), etc. All these regulations mandate organizations to destroy data in accordance with defined standards and outcomes.
2.Healthcare Industry
There are specific regulations to safeguard the privacy of Protected Health Information (PHI). In the US, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects PHI by obligating all the covered entities and associates to protect patients’ health-related data. It directs the entities concerned to exercise greater discretion when disposing of information such as social security number, driver’s license number, diagnosis and treatment information, etc.
3.Defense Departments & Service Branches
Various defense and security services such as the United States Army, Navy, Air Force, and NSA have been following specialized data destruction standards for decades. Some of these standards include US DoD 5220.22M, Air Force System Security Instruction 5020, and NSA 130-1, etc. However, since the advent of modern storage media such as solid-state drives and hybrid drives, the defense departments have transitioned to prominent media sanitization guidelines such as NIST SP 800-88.
Data Destruction Standards
Over the
previous decades, several data destruction (aka
media sanitization) guidelines have emerged following the prevalence of electronic
data. These guidelines define standardized implementation methods for physical
& logical data destruction techniques such as shredding, incineration,
degaussing, data erasure, etc. You can refer to Chapter 3 to understand the various data destruction
methods & techniques.
This chapter of our knowledge series provides
comprehensive insights into the leading data destruction guidelines and
standards, as follows:
1.NIST SP 800:88
NIST SP 800:881 , first published in 2006, is one among the most well-known and followed media sanitization guidelines in the world today. Its first revision, released in 2014, defines three methods of media sanitization to attain data destruction, namely Clear, Purge, and Destroy. These methods can effectively destroy the data stored on magnetic, flash, and optical media and span devices such as hard drives, SSDs, mobile devices, diskettes, memory cards, tapes, point-of-sale devices, networking devices, IOT devices, printers, etc.
- NIST Clear: The Clear method is based on overwriting the existing information in all user-addressable memory locations on a media using standard Read/Write commands. It rewrites the existing data with a new value such that it is destroyed forever and protected against non-invasive data recovery techniques. Factory reset of devices is also considered as Clear method where overwriting is not possible. Read More.
- NIST Purge: The Purge method employs techniques such as Overwriting, Block Erase, and Cryptographic Erase that use specific commands and media-specific mechanisms for data destruction. The block erasure technique is used for sanitizing solid-state drives by using vendor-unique commands that increase the voltage levels on the memory blocks and suddenly drop them to zero to erase the data electronically. Cryptographic erasure wipes the Media Encryption Key (MEK) of self-encrypting drives (SEDs), turning the data into ciphertext, i.e., encrypted information, unreadable without the decryption key. Read More.
- NIST Destroy: This method employs several techniques, such as shredding, disintegration, melting, incineration, etc., to destroy the storage media physically. The underlying data is permanently destroyed as a result.
Suggested reading: Use of NIST 800-88 Standard for Drive Erasure
NIST SP 800-88 Media
Sanitization Matrix
Storage Media |
Clear |
Purge |
Destroy |
Paper and microforms |
NA |
NA |
Shred using cross cut shredders |
Copier, printer, fax machine |
Device reset |
Use hardware or firmware specific techniques such as rewriting, block erasure, or cryptographic erasure |
Use standard physical destruction methods2
- Shred
- Disintegrate
- Pulverize
- Incinerate
|
Routers and Switches |
Full factory reset as per OEM settings |
NA |
Use standard physical destruction methods |
Floppies |
Overwrite and verify |
Degauss |
Incinerate |
Magnetic Disks |
Overwrite and verify |
Degauss |
Incinerate |
Reel and Cassette Format Magnetic Tapes |
Rerecord (Overwrite) |
Degauss |
Incinerate |
ATA and SCSI Hard Disk Drives. Also applicable to local external HDDs. |
Overwrite and verify |
Use any of these methods:
- Overwrite EXT command
- Cryptographic Erase
- Use SECURE ERASE command
- Degauss
|
Use standard physical destruction methods |
ATA Solid State Drives |
Overwrite and verify
OR,
ATA SECURITY ERASE UNIT command, if supported |
- Block Erase
- Cryptographic Erase through the TCG Opal SSC or Enterprise SSC interface
|
Use standard physical destruction methods |
SCSI Solid State Drives |
Overwrite and verify |
- SCSI SANITIZE command
- Cryptographic Erase
|
Use standard physical destruction methods |
NVM Express SSDs |
Overwrite and verify |
- NVM Express Format command
- Cryptographic Erase
|
Use standard physical destruction methods |
Mobile devices
(iOS® and Android® devices) |
Erase all contents using Factory Reset
OR,
Overwrite and verify |
eMMC Secure Erase or
Secure Trim command for factory reset OR,
Cryptographic erase |
Use standard physical destruction methods |
USB Removable Media and Memory Cards |
Overwrite and verify |
Not supported |
Use standard physical destruction methods |
Embedded Flash Memory |
Reset to original factory settings |
Not supported |
Use standard physical destruction methods |
DRAM3 |
Not supported |
Remove the DRAM from the device after switching off the power. |
- Shred
- Disintegrate
- Pulverize
|
EAPROM4 |
Not supported |
Full chip purge as per OEM datasheet |
- Shred
- Disintegrate
- Pulverize
|
EEPROM5 |
Overwrite and verify |
Not supported |
Use standard physical destruction methods |
Optical Media |
Not supported |
Not supported |
- Shred
- Disintegrate
- Incinerate
|
2. DoD 5220.22-M
The DoD 5220.22-M standard or US DoD data wipe method is another widely followed data destruction standard. It was released by the U.S. Department of Defense (DoD) in the National Industrial Security Program Operating Manual (also known as NISPOM or Department of Defense document #5220.22-M).
It defines a set procedure for
erasing the data on addressable memory locations with specific binary patterns,
including zeroes, ones, and a random bit pattern. The standard involves a
three-pass overwriting process with verification after completing each pass, as
follows:
Pass 1: Overwrites all addressable memory locations with binary zeroes
Pass 2: Overwrites all locations with
binary ones
Pass 3: Overwrites with a random bit
pattern The final overwrite pass is verified.
In 2001, DoD published the DoD 5220.22-M ECE method, a 7-pass version of the original standard. It runs DoD
5220.22-M twice and an extra pass (DoD 5220.22-M (C) Standard) in between.
Pass 1: Overwrites with binary zeroes
Pass 2: Overwrites using binary ones
Pass 3: Overwrites with a random bit
pattern
Passes 4 & 5: Same as Pass 1
Pass 6: Overwrites with binary ones
Pass 7: Overwrites with a random bit pattern
Verifies the final overwrite pass.
The DoD 5220.22-M is favored
for its efficiency and reliability for erasing hard disk drives. However, it is
not recommended to destroy the data stored on flash memory-based storage media
due to their complex data storage mechanism. Also, the NISPOM guideline since
2019 specifies NIST SP 800-88 as the main guideline for media sanitization.
Further reading: Use of the DoD 5220.22-M Standard for Drive Erasure
DoD 5220.22-M Clearing and
Sanitization Matrix
Storage Media |
Clear |
Sanitize |
Magnetic Tape |
Degauss |
Degauss or destroy6 |
Magnetic Disk |
Degauss or overwrite |
Degauss, destroy, or overwrite |
Optical Disk |
Overwrite7 |
Destroy |
DRAM |
Overwrite or remove all power |
Overwrite, remove all power, or destroy |
EAPROM/EEPROM |
Full chip erase8 |
Overwrite or destroy |
Flash EPROM |
Full chip erase |
Overwrite then full chip erase or destroy |
Programmable ROM (PROM) |
Overwrite |
Destroy |
Nonvolatile RAM (NOVRAM) |
Overwrite or remove all power |
Overwrite, remove all power, or destroy |
Source: DoD
5220.22-M Clearing and Sanitization Matrix
3. HMG Infosec Standard 5
The HMG IS5 is the British Government’s data destruction standard, which is a part of IT security guidelines defined in the National Cyber Security Centre (NCSC). Originally in NCSC ASSURED SERVICE CAS SERVICE REQUIREMENT SANITISATION version 2.1, HMG IS5 v5.0 mandates “companies to sanitize media in line with the new Classification Scheme.”
It is based on overwriting the storage media thrice with
binary patterns, namely zeros, ones, and a random character. However, it
verifies the overwriting only after the third pass is completed. There are two
variants of the HMG IS5 standard viz. Baseline and Enhanced, as follows:
HMG IS5 “Baseline” Standard
Pass 1: Overwrites using a zero, & verifies the overwrite pass
HMG IS5 “Enhanced” Standard
Pass 1: Overwrites with a zero
Pass 2: Overwrites with one, & verifies the overwrite pass
4. RCMP TSSIT OPS-II
Royal Canadian Mounted Police Technical Security Standard for Information Technology (RCMP TSSIT) lays down the administrative, technical, and procedural precautions for implementing the requirements of the "Security Policy of the Government of Canada" (GSP).
Appendix OPS-II of RCMP TSSIT defines the following media
sanitization guidelines for the different types of storage media:
- Removable magnetic media – tapes, cartridges, and disks should be sanitized by passing them through an approved bulk eraser or tape degausser.
- Non-removable magnetic media – disks and disk packs should be overwritten with alternating patterns of binary 1s and 0s through six passes followed by a random character in the seventh pass and verification.
- Magnetic memory – Magnetic core memory should be overwritten 1000 times with alternating patterns of 0s and 1s. EPROM should be physical destroyed unless they are reused within the same environment.
- Optical media – Disks and CD-ROM must be physically destroyed.
Other Global Data Destruction Standards
Aside from the above universally accepted standards, there
are several more standards outlined in the below table, as follows:
Standard |
Origin |
Description |
Passes |
Schneier Method
|
Bruce Schneier – American Cryptographer and computer security expert |
The Schneier method uses multiple passes of zeros, ones, and random characters to overwrite and destroy the data. |
Total 7 passes
Pass 1: Writes a 1
Pass 2: Writes a 0
Pass 3–7: Writes random characters |
NCSC-TG-025
|
US National Security Agency |
The NCSC-TG-025 method uses zeros and a random character for overwriting the storage media. It verifies the overwrite process after every pass. |
Total 3 passes
Pass 1: Writes a 0 and verifies
Pass 2: Writes a 1 and verifies
Pass 3: Writes a random character and verifies |
NAVSO P-5239-26
|
US Navy |
The NAVSO P-5239-26 method for data destruction involves overwriting the storage media with a specified character, its complement, and a random character. It verifies the overwriting after all the passes are completed. |
Total 3 passes
Pass 1: Writes a specified character like 0
Pass 2: Writes the complement of the specified character like 1
Pass 3: Writes a random character and verifies |
Pfitzner Method |
Roy Pfitzner |
The standard Pfitzner method overwrites the storage media with 33 passes of a random character.
However, some modifications of the method use a smaller number of passes. |
Total 33 passes
Pass 1–33: Writes a random character. |
AFSSI-5020
|
US Air Force |
The AFSSI-5020 method overwrites the media using ones, zeros, and a random character and verifies the process after all the passes are over. |
Total 3 passes
Pass 1: Writes a 0
Pass 2: Writes a 1
Pass 3: Writes a random character and verifies |
AR 380–19
|
US Army |
The AR 380–19 method also involves a three pass overwriting process. However, it overwrites the media using a random character, a specified character (like 1), and its complement.
It verifies the process after all the passes are completed. |
Total 3 passes
Pass 1: Writes a random character
Pass 2: Writes a specified character
Pass 3: Writes the complement of the specified character and verifies
|
VSITR Method |
Germany |
The VSITR method uses a combination of zeros, ones, and random character to overwrite the storage media through several passes. VSITR does not perform verification. |
Total 7 passes
Pass 1: Writes a 0
Pass 2: Writes a 1
Pass 3: Writes a 0
Pass 4: Writes a 1
Pass 5: Writes a 0
Pass 6: Writes a 1
Pass 7: Writes a random character |
GOST R 50739-95 |
Russia |
The GOST R 50739-95 method is more straightforward than the other methods outlined so far.
It uses either a single pass or two passes to overwrite the media using zero or zero and a random character. GOST R 50739-95 does not perform verification. |
Total 1 or 2 passes
Version1
Pass 1: Writes a 0
Pass 2: Writes a random character
Version 2
Pass 1: Writes a random character |
Peter Gutmann
Method
|
Peter Gutmann – Computer Scientist, New Zealand |
The Peter Gutmann method uses an intricate overwriting pattern for data destruction. It can perform up to 35 passes of random characters and complex patterns for overwriting. |
Total 35 passes
Pass 1–4 and Pass 32–35: Random characters
Pass 5–31: Random patterns |
CSEC ITSG-06
|
Canada |
The CSEC ITSG-06 method uses ones or zeroes, a complement, and a random character to overwrite the data. The method verifies the process after all the passes are completed. |
Total 3 passes
Pass 1: Writes a 1 or 0
Pass 2: Writes the complement
Pass 3: Writes a random character and verifies |
Choosing a Data Destruction Standard: Key Considerations
There are numerous data destruction standards, and choosing one for your organization could be daunting considering their specifications, media sanitization scope, acceptance & prevalence, etc. You may tend to compare
these standards on parameters like the number of passes, characters used,
overwriting techniques, etc., to determine suitability. Or, consider adopting
more than one standard to maximize the effectiveness & scope based on your
company’s needs. However, these approaches might not help you make an optimal
choice and increase the operational complexity and efforts considering factors
like overlaps in the overwriting passes and implementation method. The key
considerations for shortlisting a data destruction standard should be based on
the following parameters:
1.
Media
sanitization scope: the types of storage media sanitized using the
standard. Broader scope allows comprehensive application and is therefore
considered better. For example, NIST SP 800-88 covers virtually all types of
storage media, ranging from paper, film, reel, tape, diskette, hard disk drive,
and networking devices to SSD, volatile memory, smartphones, embedded storage,
etc.
2.
Efficiency
& effectiveness: how quickly the standard allows overwriting
the storage media for permanent data destruction. The efficiency of a data
destruction standard is directly proportionate to the number of overwriting
passes & verification, but it could also depend on the tool or method used
to execute the passes. For example, NIST SP 800-88 clear and purge methods can
be implemented in a single pass using an overwriting software tool or
read/write commands. In contrast, DoD 5220.22-M includes 3–7 passes, and the
Pfitzner method involves 33 passes!
3.
Acceptance
& prevalence: general adoption and use of a standard to
meet the regulatory norms for data protection. Higher adoption of a standard
could imply that it meets the requirements of most entities and is compliant
with the applicable global, local, and sectoral laws. For example, the NIST SP
800-88 Guideline for Media Sanitization is the most preferred standard by the
US federal government. It can also meet the requirements of the “right to
erasure” or “right to be forgotten” provisions in GDPR and the “right to
delete” provision in CCPA.
Conclusion
Effective implementation of a data destruction policy
requires systematic execution of the various methods that constitute its core. To
this effect, data destruction standards provide the necessary guidance and
technical procedures to sanitize data storage media. They also play a crucial
role in synergizing the outcomes vis-à-vis the globally accepted norms for
compliance with data protection regulations. This chapter shared insights on a
vast number of data destruction guidelines and standards, including the
prominent ones such as NIST SP 800-88, DOD 5220.22-M, HMG IS5, RCMP TSSIT, etc.
A key takeaway for organizations adopting a data destruction standard is to
assess the nitty-gritty, such as the number of overwriting passes, verification
method, and global acceptance in the context of regulations such as GDPR, etc. In
recent years, NIST SP 800-88 has emerged as one of the leading data destruction
standards considering its broad media sanitization scope, up-to-date
guidelines, and widespread industrial adoption.
After you adopt a standard and pan out your policy implementation, we advise considering data destruction best practices to derive the best outcomes. Please read the next chapter of our knowledge series to get insights into the best practices for effective and consistent data destruction.
1 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
2 Standard physical destruction methods include Shredding, Disintegration, Pulverization, Incineration
3 DRAM - Dynamic Random Access Memory
4 EAPROM - Electronically Alterable PROM
5 EEPROM - Electronically Erasable PROM
6 Disintegrate, incinerate, pulverize, shred, or melt.
7 Overwrite all addressable locations with a single character or a single character with complement and random character and verify.
8 Full chip erase as per the manufacturer’s datasheets.
+1-844-775-0101
