Safeguard Information
on Decommissioned
Technology Equipment

Three ways to help protect sensitive business data with NIST's media sanitization framework

With data breach incidents on the rise, it’s no surprise that information security is a major business concern. Many companies today have strict data protection policies in place that include tighter access controls and improved encryption protocols. But what about technology equipment that is no longer connected to your network?

PCs, laptops and other devices often contain sensitive company data that can be easily stolen by cybercriminals when the equipment is decommissioned. For businesses, this means financial information, account names, addresses and more, may wind up in the wrong hands.

Here’s a look at how a sanitization framework can help reduce the risk of losing confidential business information saved on storage media and the steps you can take to help safeguard your data.

Media Sanitization Framework

In 2006, the National Institute of Standards and Technology (NIST) developed guidelines for the secure disposal of data on technology devices. These guidelines have become the industry standard, replacing the U.S. Department of Defense (DoD) 5220.22-M sanitization method that was previously relied upon. The DoD method was popular before smartphones and flash-based storage technologies and has since fallen out of recommended practice due to its reduced effectiveness.

Today, businesses and other organizations reference NIST’s most recent guidelines—often referred to as its framework—Special Publication (SP) 800-88R1, “Guidelines for Media Sanitization”. These guidelines apply to the reuse, transfer and retirement of media, and the sanitization process used to render data inaccessible on storage devices such as hard drives (HDDs) and solid-state drives (SSDs)§.

The NIST framework offers three approaches to assist organizations in making decisions based on the category of confidentiality of their information and intended future use:

  1. Clear: This technique is typically applied through the standard read/write commands to remove data in all user-addressable storage locations on the device and includes overwriting the disk’s content or resetting the device to the factory state to protect against simple, non-invasive data recovery techniques.
  2. Purge: This method is optimal for highly confidential information since it renders target data recovery infeasible through various physical and logical techniques and addresses features such as host protected areas (HPAs) and device configuration overlays (DCOs). HPAs and DCOs hide sectors of a hard disk, preventing end-users from accessing them.
  3. Destroy: This is the most assertive of the three solutions as it dismantles hardware so that even advanced laboratory techniques cannot recover data. Options here may include melting the media storage device or pulverizing it, which is the favored technique when dealing with SSDs.

For businesses looking to redeploy equipment internally or remarket used storage hardware, the clear or purge methods may be the most appropriate (if prudent given the type of information stored) as they keep the storage unit intact.

Media Protection Options

Adhering to the NIST framework is an important step toward helping to reduce your company’s vulnerability caused by residual data left on devices. Here are some potential options that businesses can use to sanitize media storage and help protect against decommissioned equipment being a weak link in your cybersecurity chain:

  • Manage in-house. Your IT department can purchase software to handle all or some of the data sanitization process internally. This may be a good option for equipment that will be redeployed within the company.
  • Seek vendor support. There are a number of companies that specialize in implementing the NIST framework for organizations and can manage the process to help ensure your organization’s storage media is sanitized correctly.
  • Package the service. You can contract with the company from whom you’ve leased the equipment. Huntington Technology FinanceSM, for example, works with industry leading IT asset disposal companies to decommission off-lease IT equipment and bundles the services into its equipment financing packages for convenience.

How We Can Help

The average cost of a data breach in the U.S. topped $8 million in 2019. Given such potential exorbitant expense on today’s businesses, effectively removing data from storage devices is critical. Fortunately, awareness of the various dangers and how to defend against them can help. Chief among those defenses: ensuring the effective sanitization of decommissioned data storage devices.

Huntington Technology Finance is happy to consult with you on the next best steps. Contact us today to learn more about how we can help implement the NIST 800-88R1 media sanitization framework for your company’s safety and security.


Are you ready to advance your operations?
We’re here to help.
Contact Us

SOURCES:

† “Everything You Need to Know About the DoD 5220.22-M Wiping Standard & Its Applications Today,” Blancco, March 2019.

See for example “Media Sanitization Guidelines” IRS, July 2019.

§ “What is NIST 800-88, and What Does “Media Sanitization” Really Mean?,” Blancco, May 2019.

“What's the Cost of a Data Breach in 2019?” Digital Guardian, July 2019.

All lending products are subject to application and credit approval.

The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL HAVE LIABILITY FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.

Third-party product, service and business names are trademarks and/or service marks of their respective owners.

Huntington Technology Finance‚Ą† is a service mark of Huntington Bancshares Incorporated. circadia iconCircadia® is a federally registered service mark of Huntington Bancshares Incorporated. Circadia‚Ą† is a service mark of Huntington Bancshares Incorporated.