Media sanitization guidelines

 

Introduction

Media sanitization protects the confidentiality of sensitive information, particularly needed for federal tax information (FTI). Unauthorized individuals may attempt to reconstruct data and gain access to sensitive data from media that has not been properly sanitized.

Accordingly, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, requires that agencies sanitize information system media prior to disposal or release for reuse.

The purpose is to clarify requirements and provide guidance for implementing media sanitization techniques (clearing, purging, destroying) for media that contain FTI when the media is going to be reused or disposed by the agency. This document focuses on the sanitization of electronic (or soft copy) media (e.g., tapes, hard drives, CD/DVD) and the handling of hard copy materials. Additionally, this memorandum provides guidance on the agency’s responsibility for media sanitization in a consolidated state-run data center, or commercially outsourced data center.

Governance structure

Media sanitization requirements are the same, regardless of where the media is located, i.e., at the agency, state data center or outsourced data center. The only difference may be who will carry out the sanitization and verification activities and the need for additional oversight activities.

If the information system media that receives, processes, stores and/or transmits FTI resides at a state consolidated or commercially outsourced data center, the agency is still responsible for ensuring that media sanitization requirements are enforced. This enforcement should be accomplished through a service level agreement (SLA) with the data center. The SLA should clearly define media sanitization requirements and identify the data center’s specific responsibilities in the sanitization process.

Media sanitization overview

The National Institute of Standards and Technology (NIST) defines sanitization as:

“the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed.”

There are four categories of media sanitization: disposal, clearing, purging and destroying. Disposal is the most basic form of sanitization, where media is tossed out with no special disposition given to them. For media containing FTI, disposal is not an acceptable sanitization method. Clearing, purging, and destroying are the only appropriate sanitization methods that should be performed on media containing FTI.

Categories of media sanitization

Method

NIST 800-88 Description

Clearing Clearing information is a level of media sanitization that would protect the confidentiality of information against a robust keyboard attack. Simple deletion of items would not suffice for clearing. Clearing must not allow information to be retrieved by data, disk, or file recovery utilities. It must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. For example, overwriting is an acceptable method for clearing media.
Purging Purging information is a media sanitization process that protects the confidentiality of information against a laboratory attack. For some media, clearing media would not suffice for purging. However, for Advanced Technology Attachment (ATA) disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged. A laboratory attack would involve a threat with the resources and knowledge to use nonstandard systems to conduct data recovery attempts on media outside their normal operating environment. This type of attack involves using signal processing equipment and specially trained personnel. Executing the firmware Secure Erase command (for ATA drives only) and degaussing are examples of acceptable methods for purging.
Destroying Destruction of media is the ultimate form of sanitization. After media are destroyed, they cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding and melting.

Media sanitization requirements

The type of sanitization performed depends on two factors:

  1. Whether or not the media is to be reused by the agency for continued use with FTI.
  2. Whether or not the media will be leaving agency control.

If the media will be reused by the agency for the same purpose of storing FTI, and will not be leaving organization control, then clearing is a sufficient method of sanitization. If the media will be reused and repurposed for a non-FTI function and/or will be leaving  organization control, (i.e., media being exchanged for warranty, cost rebate, or other purposes and where the specific media will not be returned to the agency), then purging should be selected as the sanitization method. If the media will not be reused at all, then destroying is the method for media sanitization.

Type of sanitization - Two factors

 

Media is going to
be reused with FTI

Media is going to
be reused but will
no longer store FTI

Media is not going
to be reused

Not leaving organizational control Clear Purge1 Destroy
Leaving organizational control Purge1 Purge1 Destroy

1For some media, clearing media would not suffice for purging. However, for ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged. Studies have shown that most of today’s media can be effectively cleared and purged by one overwrite using current available sanitization technologies.

These sanitization requirements are also applicable for media used in a “pre-production” or “test” environment as follows:

  • If the pre-production media contained FTI and is going to be reused in the pre-production environment or moved into production for the same purpose of storing FTI, the media must be cleared.
     
  • If the pre-production media will be reused and repurposed for a non-FTI function and/or will be leaving organization control, then purging should be selected as the sanitization method.
     
  • If the pre-production media will not be reused, the media must be destroyed.

The technique for clearing, purging, and destroying media depends on the type of media being sanitized. The most common types of media are listed below with the recommended sanitization technique(s). Additional guidance on other types of media not specifically listed can be found in NIST SP 800-88, Guidelines for Media Sanitization.

Most common types of media

Media Type

Clear

Purge

Destroy

Magnetic Disks
Floppy Disks Overwrite media by using agency-approved software and validate the overwritten data. Degauss in an NSA/CSS-approved degausser.
  • Incinerate floppy disks and diskettes by burning the floppy disks and diskettes in a licensed incinerator.
  • Shred
ATA Hard Drives Overwrite media by using agency-approved and validated overwriting technologies/methods/tools.
  • Secure Erase,
  • Degauss, or
  • Disassemble and degauss the enclosed platters.
  • Incinerate hard disk drives by burning the hard disk drives in a licensed incinerator.
  • Shred
  • Pulverize
  • Disintegrate
Zip Drives Overwrite media by using agency-approved and validated overwriting technologies/methods/tools. Degauss using an NSA/CSS approved degausser.
  • Incinerate disks and diskettes by burning the zip disks in a licensed incinerator.
  • Shred
SCSI Drives Overwrite media by using agency-approved and validated overwriting technologies/methods/tools.
  • Secure Erase
  • Degauss using an NSA/CSS approved degausser, or
  • Disassemble and degauss the enclosed platters using an NSA/CSS approved degausser.
  • Incinerate hard disk drives by burning the hard disk drives in a licensed incinerator.
  • Shred
  • Pulverize
    • Disintegrate
Magnetic Tape
Reel and Cassette Overwriting should be performed on a system similar to the one that originally recorded the data. For example, overwrite previously recorded classified or sensitive VHS format video signals on a comparable VHS format recorder. All portions of the magnetic tape should be overwritten one time with known non-sensitive signals. Degauss using an NSA/CSS approved degausser.
  • Incinerate by burning the tapes in a licensed incinerator.
  • Shred
Optical Disks
CD/DVDs N/A. See Destroy Method column. N/A. See Destroy method column.

Destroy in order of recommendations:

  • Removing the information bearing layers of DVD media using a commercial optical disk grinding device.
  • Incinerate optical disk media (reduce to ash) using a licensed facility.
  • Use optical disk media shredders or disintegrator devices to reduce to particles that have a nominal edge dimensions of five millimeters (5 mm) and surface area of twenty-five square millimeters
    25 mm2). **
** This is a current acceptable particle size. Any future disk media shredders obtained should reduce CD/DVD to surface area of .25mm.
Flash Media
USB Removable Drives Overwrite media by using agency-approved and validated overwriting technologies/methods/tools. N/A. See Destroy method column.
  • Incinerate hard disk drives by burning the hard disk drives in a licensed incinerator.
  • Shred
  • Pulverize
  • Disintegrate
Memory Cards Overwrite media by using agency-approved and validated overwriting technologies/methods/tools. N/A. See Destroy method column.
  • Incinerate hard disk drives by burning the hard disk drives in a licensed incinerator.
  • Shred
  • Pulverize
  • Disintegrate
Solid State Drives Overwrite media by using agency-approved and validated overwriting technologies/methods/tools. Secure Erase of Crytographic Erase * Incinerate hard disk drives by burning the hard disk drives in a licensed incinerator.
  • Shred
  • Pulverize
  • Disintegrate

* Note: Degaussing is not an appropriate method of purging data from flash media.

Hard copy media

FTI contained in hard copy material.

Burning

The material must be burned in an incinerator that produces enough heat to burn the entire bundle, or the bundle must be separated to ensure that all pages are incinerated.

Shredding

The Publication 1075 shredding requirement was updated to align with the NIST required 1mm x 5mm cross cut shred size from our previous 5/16” shred size requirement. This requirement is taken directly from NIST SP800-88 and applies to the moderate classification for FTI. Safeguards is aware that this change in shred size is a requirement that may take agencies time to adjust to,
either by purchasing compliant shredders, or requiring a revision to an existing contract.

Destroy paper using cross cut shredders which produce particles that are 1 mm x 5mm (0.04 in. x 0.2 in.) in size (or smaller), or pulverize/disintegrate paper materials using disintegrator devices equipped with a 3/32 in. (2.4 mm) security screen.

If shredding deviates from the above specification, FTI must be safeguarded until it reaches the stage where it is rendered unreadable through additional means, such as burning or pulping.

The final shred size requirements must be met prior to release of the shred to an unprotected environment, such as landfill. An agency or, legally authorized agency contractor, including a NAID contractor, may shred to a larger size if the paper is protected as it moves through the process until final Safeguards compliant destruction is attained.

The excerpt below from Pub. 1075 Section 2.F.4 only acknowledges that Safeguards has reviewed NAID standards and auditing guidelines and feels that their internal compliance program is sufficient in content to negate the need for agencies to conduct their own internal inspections if a current copy of the NAID certification is kept at the agency. There is no requirement to use a NAID certified vendor.

Verification

Verification of the sanitization and disposal process is an essential step in assuring media was properly sanitized. A representative sampling of media should be tested after sanitization has been completed. As required by Publication 1075, Section 2.F.3, every third piece of physical electronic media should be checked to ensure appropriate destruction of FTI.

FTI must never be disclosed to an agency’s agents or contractors during disposal without legal authorization and destruction must be witnessed by an agency employee.

The Department of Justice, State tax agencies and the Social Security Administration may be exempted from the requirement of having agency personnel present during destruction by a contractor, if the contract or SLA includes the safeguard provisions required by the Code of Treasury Regulations (CTR) 301.6103(n)-1. The required safeguard language is contained in Exhibit 7, Contract Language for General Services.

Destruction of FTI should be certified by the contractor when agency participation is not present and signed documentation must be provided to the agency. It is recommended the agency periodically observe the process to ensure compliance with security of FTI until it reaches a non-disclosable state and an approved destruction method is utilized.

If the agency has legal authority to disclose FTI to a disposal contractor and chooses one that is National Association for Information Destruction (NAID) certified, the agency will not be required to complete an internal inspection every 18 months of that facility. However, it must maintain a copy of, and periodically validate the NAID certification.

If sanitization tools (e.g., a degausser) are used, the agency must calibrate and test the equipment periodically, as another form of verification. The agency should perform regular scheduled maintenance on sanitization tools as required.

Record-keeping

The agency must maintain record of its sanitization. Information that should be maintained include, but are not limited to the following:

  1. What media was sanitized,
  2. When the media was sanitized,
  3. Amount of media sanitized,
  4. How they were sanitized and
  5. Whether verification was performed, and 6) the final disposition of the media.

In cases where information system media is located at a consolidated state or commercially outsourced data center, the SLA should require that verification forms be provided to the agency after sanitization is completed.

In accordance with Publication 1075 record keeping requirements, agencies are required to log the disposal of FTI. Inventory records must be maintained for purposes of control and accountability. Any media containing FTI or any file resulting from the processing will be recorded in a log that identifies:

  • Date received
  • Control number and/or file name & contents
  • Recipient
  • Number of records, if available
  • Movement and
  • If disposed of, the date and method of disposition.

Furthermore, agencies must report on disposal of FTI as part of the annual Safeguard Security Report (SSR). The SSR requires agencies to summarize the amount and method of destruction of FTI (paper and/or electronic, including backup tapes) disposed during the processing period. The description may be a summary from logs which track FTI from receipt through destruction. Agencies need to ensure that their system of record for documentation of the destruction of electronic media will provide them with appropriate information for the annual SSR.

A sample form for organizations to use in documenting sanitization activities is provided in Appendix A PDF.

Media sanitization roles and responsibilities matrix

As previously stated, media sanitization requirements are the same, regardless of where the information system media is located.

However, the party responsible for each step of the sanitization process may differ.

The following roles and responsibilities matrix provides guidance as to who (agency vs. contractor) can perform each step of the sanitization process. The “Agency” referenced in the table refers to the agency that is authorized by the statute to have the right of access to FTI. The state-run data center that is serving in an IT supporting function does not have independent right of access to FTI.

Roles and responsibilities matrix

 

Approve
Sanitization
Method

Perform
Sanitization

Conduct
Validation

Documentation

Agency Run
Data Center
Agency Official Agency  Employee Agency
Employee
(person that did
not perform
sanitization)
Maintained by
the Agency
Consolidated
State Data
Center
Agency Official State IT Department Agency Employee, State
IT Department
(per contract,
SLA or MOU)
Provided to Agency
Commercially
Outsourced
Data Center
Agency Official Contractor1 Agency Employee Provided to Agency

1Contractors are not authorized to perform the sanitization or validation on media containing (l)(7) data (Human Services Agencies) or (l)(10) refund offset data (Treasury Offset Program (TOP)). Contractors for Child Support agencies are only authorized access to (l)(6) address, SSN and amount of offset.

Resources