SPE1.1.0.2

BACKGROUNDGeneral. Media samitization. Types of sanitization.

CONTENTS

GENERAL

Information disposition and sanitization decisions occur throughout the system life cycle.

Critical factors affecting information disposition and media sanitization are decided at the start of a system’s development.

The initial system requirements should include hardware and software specifications as well as interconnections and data flow documents that will assist the system owner in identifying the types of media used in the system.

A determination should be made during the requirements phase about what other types of media will be used to create, capture, or transfer information used by the system. This analysis, balancing business needs and risk to confidentiality, will formalize the media that will be considered for the system to conform to FIPS 200, Minimum Security Requirements for Federal Information and Information Systems.

Media sanitization and information disposition activity is usually most intense during the disposal phase of the system life cycle. However, throughout the life of an information system, many types of media, containing data, will be transferred outside the positive control of the organization.

This activity may be for maintenance reasons, system upgrades, or during a configuration update.

MEDIA SANITIZATION

Media sanitization is one key element in assuring confidentiality.

Confidentiality is:

“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542]

“A loss of confidentiality is the unauthorized disclosure of information.” [FIPS-199, Standards for Security Categorization of Federal Information and Information Systems]

In order for organizations to have appropriate controls on the information they are responsible for safeguarding, they must properly safeguard used media. An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information. Media flows in and out of organizational control through recycle bins in paper form, out to vendors for equipment repairs, and hot swapped into other systems in response to emergencies. This potential vulnerability can be mitigated through proper understanding of where information is location, what that information is and how to protect it.

TYPES OF SANITIZATION

The key in deciding how to manage media in an organization is to first consider the information, then the media type.

The security categorization of the information, along with internal environmental factors, should drive the decisions on how to deal with the media.

Again, the key is to first think in terms of information confidentiality, then by media type. In organizations, information exists that is not associated with any categorized system. This information is often hard copy internal communications such as memoranda, white papers, and presentations. Sometimes this information may be considered sensitive. Examples may include internal disciplinary letters, financial or salary negotiations, or strategy meeting minutes. Organizations should label these media with their internal operating classifications and associate a type of sanitization described in this publication.

There are different types of sanitization for each type of media. We have divided media sanitization into four categories: disposal, clearing, purging and destroying.

Disposal exists where media are just tossed out with no special disposition given to them. Some media can be simply disposed if information disclosure would have no impact on organizational mission, would not result in damage to organizational assets, would not result in financial loss or would not result in harm to any individuals.

Disposal is mentioned to assure organizations that all media does not require sanitization and that disposal is still a valid method for handling media containing non-confidential information.

Since disposal is not technically a type of sanitization, it will not be mentioned or addressed outside of this section.

The selected type should be assessed as to cost, environmental impact, etc., and a decision made that best mitigates the risk to confidentiality and best satisfies other constraints imposed on the process.

Type	Description
Disposal	Disposal is the act of discarding media with no other sanitization considerations. This is most often done by paper recycling containing non-confidential information but may also include other media.
Clearing	Clearing information is a level of media sanitization that would protect the confidentiality of information against a robust keyboard attack. Simple deletion of items would not suffice for clearing. Clearing must not allow information to be retrieved by data, disk, or file recovery utilities. It must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. For example, overwriting is an acceptable method for clearing media. There are overwriting software or hardware products to overwrite storage space on the media with non-sensitive data. This process may include overwriting not only the logical storage location of a file(s) (e.g., file allocation table) but also may include all addressable locations. The security goal of the overwriting process is to replace written data with random data. Overwriting cannot be used for media that are damaged or not writeable. The media type and size may also influence whether overwriting is a suitable sanitization method. [SP 800-36]. Studies have shown that most of today’s media can be effectively cleared by one overwrite.
Purging	Purging information is a media sanitization process that protects the confidentiality of information against a laboratory attack. For some media, clearing media would not suffice for purging. However, for ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged. A laboratory attack would involve a threat with the resources and knowledge to use nonstandard systems to conduct data recovery attempts on media outside their normal operating environment. This type of attack involves using signal processing equipment and specially trained personnel. Executing the firmware Secure Erase command (for ATA drives only) and degaussing are examples of acceptable methods for purging. Degaussing of any hard drive assembly usually destroys the drive as the firmware that manages the device is also destroyed. Degaussing is exposing the magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains. A degausser is a device that generates a magnetic field used to sanitize magnetic media. Degaussers are rated based on the type (i.e., low energy or high energy) of magnetic media they can purge. Degaussers operate using either a strong permanent magnet or an electromagnetic coil. Degaussing can be an effective method for purging damaged media, for purging media with exceptionally large storage capacities, or for quickly purging diskettes. Degaussing is not effective for purging nonmagnetic media, such as optical media [compact discs (CD), digital versatile discs (DVD), etc.). [SP 800-36, Guide to Selecting Information Security Products] If purging media is not a reasonable sanitization method for organizations, it is recommended that the media be destroyed.
Destroying	Destruction of media is the ultimate form of sanitization. After media are destroyed, they cannot be reused as originally intended. Physical destruction can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting. If destruction is decided upon due to the high security categorization of the information or due to environmental factors, any residual medium should be able to withstand a laboratory attack. Disintegration, Incineration, Pulverization, and Melting - These sanitization methods are designed to completely destroy the media. They are typically carried out at an outsourced metal destruction or incineration facility with the specific capabilities to perform these activities effectively, securely, and safely. Shredding - Paper shredders can be used to destroy flexible media such as diskettes once the media are physically removed from their outer containers. The shred size of the refuse should be small enough that there is reasonable assurance in proportion to the data confidentiality level that the information cannot be reconstructed. Optical mass storage media, including compact disks (CD, CD-RW, CD-R, CD-ROM), optical disks (DVD), and magneto-optic (MO) disks must be destroyed by pulverizing, crosscut shredding or burning. Destruction of media should be conducted only by trained and authorized personnel. Safety, hazmat, and special disposition needs should be identified and addressed prior to conducting any media destruction.

ROLES AND RESPONSIBILITIES

Program Managers/Agency Heads

By establishing an effective information security governance structure, they establish the organization’s computer security program and its overall program goals, objectives, and priorities in order to support the mission of the organization.
Ultimately, the head of the organization is responsible for ensuring that adequate resources are applied to the program and for ensuring program success.
Senior management is responsible for ensuring that the resources are allocated to correctly identify types and locations of information and to ensure that resources are allocated to properly sanitize the information.

Chief Information Officer (CIO)

The CIO is charged with promulgating information security policy. A component of this policy is information disposition and media sanitization.
The CIO, as the information custodian, is responsible for ensuring that organizational or local sanitization requirements follow the guidelines of this instruction.

Information System Owner

The information system owner should ensure that maintenance or contractual agreements are in place and are sufficient in protecting the confidentiality of the system media and information commensurate with the impact of disclosure of such information on the organization.

Information Owner

The information owner should ensure that appropriate supervision of onsite media maintenance by service providers occurs, when necessary.
The information owner is also responsible for ensuring that users of the information are aware of its sensitivity and the basic requirements for media sanitization.

Senior Agency Information Security Officer (SAISO)

The SAISO is responsible for ensuring that the requirements of the information security policy with regard to information disposition and media sanitization are implemented and exercised in a timely and appropriate manner throughout the organization.

System Security Manager/Officer

Often assisting system management officials in this effort is a system security manager/officer responsible for day-today security implementation/administration duties.
Although not normally part of the computer security program management office, this person is responsible for coordinating the security efforts of a particular system(s).
This role is sometimes referred to as the Computer System Security Officer or the Information System Security Officer.

Property Management Officer

The property management officer is responsible for ensuring that sanitized media and devices that are redistributed within the organization, donated to external entities or destroyed are properly accounted for.

Records Management Officer

The records management officer is responsible for advising the system and/or data owner or custodian of retention requirements that must be met so the sanitization of media will not destroy records that should be preserved.

Privacy Officer

The privacy officer is responsible for providing advice regarding the privacy issues surrounding the disposition of privacy information and the media upon which it is recorded.

Users

Users have the responsibility for knowing and understanding the confidentiality of the information they are using to accomplish their assigned work and ensure proper handling of information.

IDENTIFICATION OF THE NEED FOR SANITIZATION

One of the first steps in making a sanitization decision is deciding if and when a need exists to sanitize media.

At all points in the system life cycle, media are generated that contain representations of the information held in the system. These media can take different forms, such as simple printouts of data, screenshot captures, or cached memory of user’s activities.

Organizations must know which media are capturing data and when in order to maintain proper control of the information. This understanding will allow organizations to identify when there is a need to conduct proper sanitization for media disposal. These decisions on proper disposal can be as simple as ensuring placement of paper shredders in work areas during system steady-state activities or address destroying electronic equipment at the end of its life cycle.

DETERMINATION OF SECURITY CATEGORIZATION

Early in the system life cycle, a system is categorized using the guidance found in FIPS 199 and NIST SP 800-60, including the security categorization for the system’s confidentiality.

This security categorization is often revisited and revalidated throughout the system’s life, and any necessary changes to the confidentiality category can be made.

Once the security categorization is completed, the system owner can then design a sanitization process that will ensure adequate protection of the system’s information.

Much information is not associated with a specific system but is associated with internal business communications, usually on paper. Organizations should label these media with their internal operating classifications and associate a type of sanitization described in this instruction.

Contents