DESCRYPTION OF PROCESSES

“A loss of confidentiality is the unauthorized disclosure of information.” [FIPS-199, Standards for Security Categorization of Federal Information and Information Systems]

GENERAL

Information disposition and sanitization decisions occur throughout the information system life cycle.

Critical factors affecting information disposition and media sanitization are decided at the start of a system’s development.

The initial system requirements should include hardware and software specifications as well as interconnections and data flow documents that will assist the system owner in identifying the types of media used in the system.

Media sanitization and information disposition activity is usually most intense during the disposal phase of the system life cycle. However, throughout the life of an information system, many types of media, containing data, will be transferred outside the positive control of the organization.

This activity may be for maintenance reasons, system upgrades, or during a configuration update.

DATA SANITIZATION

Data sanitization is one key element in assuring confidentiality.

Confidentiality is:

“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542]

In order for organizations to have appropriate controls on the information they are responsible for safeguarding, they must properly safeguard used digital data.

An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information.

The critical information flows in and out of organizational control through recycle bins in paper form, out to vendors for equipment repairs, and hot swapped into other systems in response to emergencies.

This requires the use of specialized software for the information used, such as FDM II.

TYPES OF SANITIZATION

Managing critical information in an organization requires first determining what information should be considered sensitive, and then analyzing the type of media used to store it.

Managing critical information in an organization requires first determining what information should be considered sensitive, and then analyzing the type of media used to store it.

The security categorization of the information, along with internal environmental factors, should drive the decisions on how to deal with the media.

In organizations, information exists that is not associated with any categorized system. This information is often digital internal communications. Sometimes this information may be considered sensitive.

Organizations should label these media with their internal operating classifications and associate him with a specialize type of data sanitization used in FDM II.

There are different types of sanitization for each type of critical information as follows: disposal, clearing, purging, random encryption, mascing, destroying etc.

The selected type sanitization should be assessed as to cost, environmental impact, etc., and a decision made that best mitigates the risk to confidentiality and best satisfies other constraints imposed on the process.

Note: Since disposal is not technically a type of sanitization, it will not be mentioned or addressed.

SANITIZATION TYPES According to SP 800-36

Type	Description
Disposal	Disposal is the act of discarding media with no other sanitization considerations. This is most often done by the hard disks recycling containing non-confidential information but may also include other media.
Clearing	Clearing information is a level of data sanitization that would protect the confidentiality of information against a robust keyboard attack. Simple deletion of items would not suffice for clearing. Clearing must not allow information to be retrieved by data, disk, or file recovery utilities. It must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. The security goal of the overwriting process is to replace written data with random data. Overwriting cannot be used for media that are damaged or not writeable. The media type and size may also influence whether overwriting is a suitable sanitization method. [SP 800-36]. Studies have shown that most of today’s media can be effectively cleared by one overwrite.
Purging	Purging information is a media sanitization process that protects the confidentiality of information against a laboratory attack. For ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged. A laboratory attack would involve a threat with the resources and knowledge to use nonstandard systems to conduct data recovery attempts on media outside their normal operating environment. This type of attack involves using signal processing equipment and specially trained personnel. Degaussing of any hard drive assembly usually destroys the drive as the firmware that manages the device is also destroyed. Degaussing is not effective for purging nonmagnetic media, such as optical media [compact discs (CD), digital versatile discs (DVD), etc.). [SP 800-36, Guide to Selecting Information Security Products] If purging media is not a reasonable sanitization method for organizations, it is recommended that the media be destroyed.
Destroying	Destruction of media is the ultimate form of sanitization. After media are destroyed, they cannot be reused as originally intended. If destruction is decided upon due to the high security categorization of the information or due to environmental factors, any residual medium should be able to withstand a laboratory attack. Disintegration, Incineration, Pulverization, and Melting - These sanitization methods are designed to completely destroy the media. They are typically carried out at an outsourced metal destruction or incineration facility with the specific capabilities to perform these activities effectively, securely, and safely. Shredding - Paper shredders can be used to destroy flexible media such as diskettes once the media are physically removed from their outer containers. The shred size of the refuse should be small enough that there is reasonable assurance in proportion to the data confidentiality level that the information cannot be reconstructed. Optical mass storage media, including compact disks (CD, CD-RW, CD-R, CD-ROM), optical disks (DVD), and magneto-optic (MO) disks must be destroyed by pulverizing, crosscut shredding or burning. Destruction of media should be conducted only by trained and authorized personnel. Safety, hazmat, and special disposition needs should be identified and addressed prior to conducting any media destruction.

IDENTIFICATION OF THE NEED FOR SANITIZATION

One of the first steps in making a sanitization decision is deciding if and when a need exists to sanitize digital data.

Organizations must know which media are capturing data and when in order to maintain proper control of the information. This understanding will allow organizations to identify when there is a need to conduct proper sanitization.

These decisions on proper destryction can be as simple as ensuring placement of paper shredders in work areas during system steady-state activities or address destroying electronic equipment at the end of its life cycle.

FDM II can be considered one of the easiest to use solutions for automatic destruction of large volumes of digital data guaranteeing a high degree of security.

DETERMINATION OF SECURITY CATEGORIZATION

Early in the computer system life cycle, a digital data is categorized using the guidance found in FIPS 199 and NIST SP 800-60, including the security categorization for the system’s confidentiality.

This security categorization is often revisited and revalidated throughout the system’s life, and any necessary changes to the confidentiality category can be made.

Once the security categorization is completed, the system owner can then design a sanitization process that will ensure adequate protection of the system’s information.

Much information is not associated with a specific system but is associated with internal business communications. In this case, using FDM II for enterprise solutions can be extremely effective.

Files and Folders Destruction Manager
FDM II