Proper Data Sanitization with NIST 800-88 Standards

Aug 8, 2020

At some point, you’re going to find yourself in the position of having to purge IT assets.  This could happen when devices become outdated or damaged, when employees leave the company and you have to decide what to do with equipment and devices assigned to them, or when you decide to upgrade your infrastructure, for example.

Whether you’re eliminating equipment in favor of newer technologies or passing still usable devices along to new employees, you need to make sure you do so in a responsible manner, protecting sensitive data in keeping with consumer privacy laws and other applicable regulations.  In other words, you need to properly sanitize devices before they can find a new home.

The best way to protect your South Dakota business and your customers is to follow the guidelines for sanitization set forth in NIST 800-88.  What is this special publication and how can it help to ensure proper data sanitization?

What is NIST 800-88r1?

NIST Special Publication 800-88 Revision 1 is the latest version of a document created by National Institute for Standards and Technology that provides government guidance related to data sanitization, or the elimination of data from electronic devices.  According to the publication, “Media sanitization refers to a process that renders access to target data on the media infeasible for a given level of effort.”

In layman’s terms, this refers to the process of eliminating data, or access to data, from any type of storage device.  Although the guide is purposely non-specific about the types of devices that could or should be sanitized, since it’s meant to cover a broad range of technologies (including future technologies), you could apply standards to virtually any electronic device that stores data, from hard drives and servers, to mobile devices and even USB drives, for example.

“Section 5 Summary of Sanitization Methods” sets forth three acceptable means of sanitization: clear, purge, and destroy.  Clearing data essentially involves an overwriting process, by which target data is replaced with non-sensitive data (typically junk data like zeros or ones), with the end result being that the data cannot be retrieved.

Purging could include overwriting procedures, but could also entail options like secure erase or cryptographic erase, as well as destructive techniques that effectively sever access to data.  Specifically excluded are practices like bending, cutting, or punching/shooting holes in devices, which are dangerous and may not effectively stop data retrieval.

Finally, destruction includes methods that completely demolish the physical media used to store data, such as shredding devices to such a small size that they are impossible to reconstruct, thus ensuring that data is no longer accessible.

The Benefits of Proper Data Sanitization

When devices are properly sanitized, in keeping with NIST 800-88r1 guidelines, you have the best opportunity to protect sensitive data and comply with consumer privacy laws and associated industry regulations.  Whenever you transfer used devices to new employees, remarket old devices, or simply get rid of IT assets, it’s imperative that you do so in a responsible manner that eliminates the threat of data theft.  This way you can protect your customers, keep your company secure, and avoid catastrophic events like data breach and identity theft.

If you need help protecting your South Dakota business, your best bet is to partner with a certified ITAD service provider like SEAM that observes NIST 800-88 and complies with all applicable laws on your behalf.  Contact SEAM today at 605-274-7326 (SEAM) or online to learn more.

SEAM provides IT recycling and data destruction services including onsite shredding and hard drive wiping to South Dakota, North Dakota, Minnesota, Iowa, and Nebraska.

Schedule a pickup or contact us for more information.