What Does Media Sanitization Really Mean?
Your South Dakota business creates and compiles a wealth of data, from internal projects and operational information, to personal data collected from customers. This data is stored on hard drives and devices, on servers, in the cloud, and so on. Regardless of where you store data, however, you are responsible for keeping it safe, and this includes ensuring that it is properly disposed of.
Just as your devices have an intended life cycle (say, 3-5 years before you upgrade to new technologies), so, too, should your data have an expiration date in mind. You can’t just let old, outdated, and unused data linger, creating unnecessary risk for theft and the many consequences that could follow.
This is where media sanitization enters the picture. What is it, though? Is it as simple as shredding your hard drives, or is there more to the process? Here’s what you need to know to ensure that you’re sanitizing data properly, in compliance with applicable regulations.
What is Sanitization?
Sanitization is different from IT asset disposition in one key way. ITAD refers to destruction of devices that contain data, whereas sanitization refers to destroying the data itself, or more specifically, making it unrecoverable through permanent and irreversible removal or destruction. It’s more than deleting a file – it’s making sure that no trace remains, typically through a multi-step wiping process that overwrites existing data with junk data (zeros or ones).
Understanding NIST SP 800-88, Revision 1
You may wonder what the standards are for media sanitization, and the rule you need to pay attention to is Revision 1 of the National Institute of Standards and Technology (NIST) Special Publication 800-88. This regulation applies to data stored via a variety of technologies, including hard drives, servers, USB drives, and even devices that have not yet been invented. In short, it’s universally applied to devices that store data.
The gist of NIST SP 800-88, Rev. 1 is that data on these devices must be removed by one of three means: clear, purge, or destroy. Businesses are encouraged to choose an appropriate method of sanitization based on factors like the type of storage media used, the level of confidentiality assigned to the data, risks associated with the confidentiality of the data, and plans for future media usage (i.e. reuse, remarketing, donation, or destruction, for example). Secondary factors could include cost, environmental considerations, and sanitization methods available, but risk should be a primary concern, to be weighed against other factors.
Proper Sanitization Practices
You know that sanitization is important from a compliance standpoint, but even more essential is protecting your company and your customers. What’s the best way to ensure complete sanitization of data? First, you need to keep track of where data is stored, primarily by maintaining meticulous inventory of equipment and devices.
Before devices change hands or you donate or remarket them, they should undergo a professional, multi-pass wiping process, in keeping not only with NIST standards, but applicable consumer privacy laws and standards for industries that deal with high-risk data (healthcare, financial, etc.). If you plan to have your certified ITAD service provider shred devices, sanitization may be redundant.
Contact the qualified professionals at SEAM today at 605-274-7326 (SEAM) or online to learn more about sanitization and request a quote for services.