Three ways to help protect sensitive business data with NIST's media sanitization framework
With data breach incidents on the rise, it’s no surprise that information security is a major business concern. Many companies today have strict data protection policies in place that include tighter access controls and improved encryption protocols. But what about technology equipment that is no longer connected to your network?
PCs, laptops and other devices often contain sensitive company data that can be easily stolen by cybercriminals when the equipment is decommissioned. For businesses, this means financial information, account names, addresses and more, may wind up in the wrong hands.
Here’s a look at how a sanitization framework can help reduce the risk of losing confidential business information saved on storage media and the steps you can take to help safeguard your data.
Media Sanitization Framework
In 2006, the National Institute of Standards and Technology (NIST) developed guidelines for the secure disposal of data on technology devices. These guidelines have become the industry standard, replacing the U.S. Department of Defense (DoD) 5220.22-M sanitization method that was previously relied upon. The DoD method was popular before smartphones and flash-based storage technologies and has since fallen out of recommended practice due to its reduced effectiveness†.
Today, businesses and other organizations reference NIST’s most recent guidelines—often referred to as its framework—Special Publication (SP) 800-88R1, “Guidelines for Media Sanitization”.‡ These guidelines apply to the reuse, transfer and retirement of media, and the sanitization process used to render data inaccessible on storage devices such as hard drives (HDDs) and solid-state drives (SSDs)§.
The NIST framework offers three approaches to assist organizations in making decisions based on the category of confidentiality of their information and intended future use‡:
- Clear: This technique is typically applied through the standard read/write commands to remove data in all user-addressable storage locations on the device and includes overwriting the disk’s content or resetting the device to the factory state to protect against simple, non-invasive data recovery techniques.
- Purge: This method is optimal for highly confidential information since it renders target data recovery infeasible through various physical and logical techniques and addresses features such as host protected areas (HPAs) and device configuration overlays (DCOs). HPAs and DCOs hide sectors of a hard disk, preventing end-users from accessing them.
- Destroy: This is the most assertive of the three solutions as it dismantles hardware so that even advanced laboratory techniques cannot recover data. Options here may include melting the media storage device or pulverizing it, which is the favored technique when dealing with SSDs.
For businesses looking to redeploy equipment internally or remarket used storage hardware, the clear or purge methods may be the most appropriate (if prudent given the type of information stored) as they keep the storage unit intact.
Media Protection Options
Adhering to the NIST framework is an important step toward helping to reduce your company’s vulnerability caused by residual data left on devices. Here are some potential options that businesses can use to sanitize media storage and help protect against decommissioned equipment being a weak link in your cybersecurity chain:
- Manage in-house. Your IT department can purchase software to handle all or some of the data sanitization process internally. This may be a good option for equipment that will be redeployed within the company.
- Seek vendor support. There are a number of companies that specialize in implementing the NIST framework for organizations and can manage the process to help ensure your organization’s storage media is sanitized correctly.
- Package the service. You can contract with the company from whom you’ve leased the equipment. Huntington Technology FinanceSM, for example, works with industry leading IT asset disposal companies to decommission off-lease IT equipment and bundles the services into its equipment financing packages for convenience.
How We Can Help
The average cost of a data breach in the U.S. topped $8 million in 2019¶. Given such potential exorbitant expense on today’s businesses, effectively removing data from storage devices is critical. Fortunately, awareness of the various dangers and how to defend against them can help. Chief among those defenses: ensuring the effective sanitization of decommissioned data storage devices.
Huntington Technology Finance is happy to consult with you on the next best steps. Contact us today to learn more about how we can help implement the NIST 800-88R1 media sanitization framework for your company’s safety and security.