To safeguard client data and your business reputation, know this key data destruction standard.
What data destruction method is right for your business? To answer that question, you need to understand what the most important data destruction standard entails.
Considering there are numerous overlapping terms and ways to define different processes, it can be hard to navigate. Here’s a quick guide.
In recent years, the National Institute of Standards and Technology’s (NIST) 800-88 has emerged as the leading standard for data erasure compliance. While the U.S. Department of Defense used to reference DoD 5220.22, the department now cites the NIST 800-88 media erasure guidelines (It also goes by NIST SP 800-88). In other words, to understand data destruction standards, you have to understand the NIST 800-88 key features.
So, what media falls under the NIST 800-88 data destruction standard?
Interestingly, the guidelines are not designed to be technology-specific. Rather, they apply universally to various media types, including those yet to be invented.
However, if you’re in possession of any of the following, you may, depending on your industry, need to comply with the NIST data destruction standard:
- Hard copy (paper) storage
- Networking devices
- Mobile devices
- Special equipment
- Magnetic media
- Peripherally attached storage
- Optical media
- Flash-memory-based storage devices
- RAM-and-ROM-based storage devices
The three data destruction categories defined
Before we dive into more details, NIST 800-88 divides data sanitization into three categories: Clear, Purge, and Destroy. And, by data sanitization, we mean — to borrow the data destruction standard’s own definition — “a process that renders access to target data on the media infeasible for a given level of effort.”
To find the best overview of each category, we turn to our partner Blancco. The international data security company aims to accelerate the move toward a circular economy by providing solutions like the Blancco Drive Eraser software and hardware that we leverage here at GER. Blancco is, in fact, the most certified erasure software. And NIST is indeed one of the 15+ governing bodies and leading organizations that approve and recommend it.
So, let’s get to it:
- Clear applies logical techniques to sanitize data in all user-addressable storage locations. This protects against simple, non-invasive data recovery techniques and provides a moderate level of data protection.
- Purge applies physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques. Purge provides a more thorough level of sanitization than Clear and is used for more confidential data.
- Destroy renders target data recovery infeasible using state-of-the-art laboratory techniques. It also renders the media incapable of storing data afterward. “Destroy” can include shredding, incinerating, pulverizing, melting, and other physical techniques. These can be necessary for drives that are already beyond all possible use or standard overwriting methods because of physical damage.
In regard to Destroy, please note: Because “Destroy” renders media unusable, physical destruction takes a toll on natural resources. Not only does it contribute to environmental waste, it lessens the lifespans of information technology storage devices. These devices can often be used by other departments within the original organization, or even donated or sold to organizations with less stringent performance needs. That’s why we recommend only selecting Destroy when no other option remains.
For any device to be considered sanitized in accordance with NIST 800-88, you need documented erasure validation. The document should include:
- Device serial number
- Method of destruction
- Date of destruction
- Name of supervising party
- Verification of sanitization results
- Validation of all of the above
Ultimately, the nature of your data and your business determine which data destruction method is right for you. Can we help answer any questions? Don’t hesitate to reach out.
Make sure to read:
- Witnessed destruction of IT assets: How it’s done
- The telltale signs of data sanitization done right
- Looking for absolute data destruction? Look for certified data erasure