The IT Asset Manager’s 2013 Review on Data Destruction Standards
The “DoD wipe,” the data destruction standard created by the Department of Defense was documented almost 20 years ago, in 1995. If your company’s data destruction policy is still based on this standard, it’s time to revisit your policy. You wouldn’t build your company’s IT infrastructure around 18 year-old technology, so why would you build your data destruction policy around an 18 year-old standard?
What is DoD 5220.22-m and Why Not Reference It?
The Department of Defense data destruction standard, which was a section of the National Industrial Security Program (NISP) Operating Manual, or DoD 5220.22-M, called for a “three-pass” approach to hard drive sanitization. That meant overwriting all data on a particular storage device three times to ensure that none of the original data remains. Purely from a data security standpoint, there is nothing wrong with three-pass data destruction; it can be done and, when done properly, it will ensure the original data stored on a hard drive is unrecoverable. Modern data storage technology, however, has made three passes unnecessary, and in fact, burdensome. The DoD data destruction standard was written in a time when most data was stored on magnetic tape, floppy disks, and slow, low-capacity magnetic hard drives. The drive head could easily miss data in a single pass. Current magnetic hard drives write much more accurately and with higher density than their predecessors. Even the Department of Defense now recognizes that only one pass, done with proper process and tools, is necessary to completely sanitize a drive of data.
Why not continue doing three passes, just to be sure? Each of those passes takes time, and that time increases with the capacity of a hard drive, and the storage capacity of hard drives continues to increase. Taking three passes to sanitize each drive literally triples the amount of time required for data destruction and takes your staff away from other tasks. If your company partners with a vendor for data destruction services, you’re paying your vendor for more work than you need.
The New Standard for Data Destruction
We mention the DoD wipe here because we still have companies asking us about it. But in the information destruction industry, the most up-to-date standard for data sanitization is NIST 800-88. Created by the National Institute of Standards and Technology, and sponsored by the Department of Homeland Security, NIST 800-88 states that a single pass is all that is necessary for reliable magnetic hard drive data destruction.
The Importance of a Certified Vendor
How, then, can you ensure your company is doing single-pass data destruction correctly, using the right software and verification methods? Don’t look for vendors “certified” by NIST 800-88. Such a certification doesn’t exist. NIST 800-88 is a written standard, not a certification body. The US government does not certify companies or software. There are, however, third-party organizations that will audit and certify vendors for meeting the most rigorous standards for secure data sanitization and destruction, including those outlined in NIST 800-88. In the United States, the National Association for Information Destruction (NAID) offers the most respected data destruction certification. Even as data destruction standards change with technology advances, if you partner with a certified vendor, you can be sure your vendor is following the most up-to-date practices and has the documentation to prove it.
The issues surrounding data destruction go beyond the standards. Read more in our free document, “10 Myths About IT Asset Disposition (ITAD) Data Erasure.”
More Tech articles from Business 2 Community: