Everything You Need to Know About Secure Data Destruction
Feb 3rd 2021
The proper destruction of data protects every byte of data from compromise. It is a necessary step before the disposal of any electronic hardware, and as a result warrants regulation by authoritative entities. The benefits of Data Destruction apply to all parties, of every size, but only secure procedure, verified by industry standards, can guarantee total protection. Although a number of organizations can grant such certifications, all tend to draw from protocol outlined by the National Institute of Standards and Technology (NIST).
The NIST Special Publication 800-88 document, drafted originally in 2006 and revised in November of 2012, established a standard then adopted partially or wholly by all non-governmental certifications. The keystone principle of NIST mandate includes a secondary verification of Data Destruction, performed by personnel uninvolved with the original sanitization and with validation software unrelated to the original developer. This measure samples a portion of the sanitized media that has been chosen at random to mitigate unseen bias.
How is Data Destroyed?
The methods used for sanitization may differ between the first and second verifications in order to provide a holistic erasure. These methods take the form of overwriting, a process of saving new data over preexisting data to, degaussing, the magnetic purging of saved information, or physical destruction of the targeted hardware. Overwriting, while the most economic, cannot guarantee total erasure. Degaussing and physical destruction, while the most effective, render the hardware unusable and unfit for resale.
Cryptographic erasure, while less commonly used, provides a quick method of data erasure that maintains the integrity of hardware. The process involves the deletion of the key that grants access to encrypted data, permanently rendering the data unreadable. To guarantee irreversible encryption, the software used to erase the key must produce a certificate upon completion confirming that access to this data has been totally suspended. However, cryptographic erasure cannot always meet compliance with NAID standards because its natural function nullifies the use of second-step, third party verification.
What Data Destruction Certificates Should I Look For?
The National Association of Information Destruction (NAID) guidelines coincide with the standards set forth by NIST. A certification document published in 2013 stipulates that NAID-approved companies utilize a quality control manufacturer separate from that which created the sanitization software. In addition, portions of the targeted media are selected at random for secondary verification of erasure. The employees who execute sanitization and the quality control test, by NAID standards, cannot be the same.
The R2/Recycling Industry Operating Standard (RIOS) certifies ethical procedure in the recycling of hardware. With regards to Data Destruction, RIOS defers entirely to the guidelines outlined by the NIST. Specifically, and most importantly, they require an independent, third party to complete the secondary verification of destruction. This third party in turn must adhere to either NIST guidelines or be certified by a generally accepted organization. Additionally, an e-recycler following RIOS guidelines must document the entire Data Destruction procedure using a system known as chain of custody, which tracks possession of an item and the action taken towards erasure.
E-Steward certification establishes a network of approved organizations conforming to the Standard for Responsible Recycling and Reuse of Electronic Equipment, published in March, 2013. Similarly to R2/RIOS, E-Steward props the NIST 2012 document as the predominant guideline for data sanitization. To earn E-Steward certification, an organization must demonstrate both a framework that adheres to NIST standards, as well as a system that confirms adherence by determining the successful elimination of targeted data.
The Asset Disposal and Information Security Alliance (ADISA), in the same month as E-Steward, released a document outlining their own policies regarding secure data destruction. The principal ruling, again, includes a documented secondary verification test of a randomized sample of sanitized IT assets.
What Happens After My Data Is Destroyed?
Secure Data Destruction is the necessary prerequisite to the disposal of hardware. It benefits not only individual users wanting to protect personal information such as credit card information or social security numbers, but also large-scale corporations guarding intellectual property, financial records, and employee information. When data has been successfully destroyed by approved organizations, the hardware once containing it moves on to recycling or refurbishment.
Electronic hardware contains myriad contaminants to the environment. Lead, cadmium, and dioxin are just three of countless more that threaten environmental health and, subsequently, general health. Electronic recyclers certified by R2/RIOS or E-Steward prevent these hazardous materials from causing harm by reusing them in the production of new devices. Additionally, reuse decreases the demand of mining raw materials that could cause irreparable damage to global ecosystems.
Oftentimes, retired hardware becomes obsolete due only to the release of newer, more advanced models. In these cases, still functioning hardware can be refurbished and remarketed, made efficient by specific upgrades that elevate daily processing power. Although recycling and Data Destruction can also be performed on the individual level, only NAID and NIST certified companies can promise secure erase, and R2/RIOS and E-Steward approved e-recyclers guarantee ethical disposal. The regulations set forth by the industry ensure accountability for companies specializing in Data Destruction as well as those that focus on sustainable disposal.
Blair Technology Group is not only NAID and HIPPA certified, but also compliant with the guidelines expressed in NIST SP 800-88. We guarantee that all equipment, after the destruction of data has been verified, is processed by companies certified by R2/RIOS or E-Steward. Our secure chain of custody documentation ensures that only authorized personnel retain access to your data. As the largest Microsoft Authorized Refurbisher in the United States, we take pride in a tradition of providing both quality services, sustainability, and high return of asset value to our clients.