NIST SP 800-88

Information systems capture, process and store information using a wide variety of devices. This information resides not only on storage media but also on those used to create, process or transmit the information.

Each of the devices used requires a special injunction to reduce the risk of unauthorized disclosure of information and to ensure its confidentiality. Effective management of the critical data that is created, processed and stored by an information technology (IT) system throughout its life, from inception to decommissioning, is a major concern of the owner of the information system and the employees responsible for such management.


In order to reduce the risk of unauthorized disclosure of information and to ensure its confidentiality, it is necessary to carry out systematic operational control of the devices used. On the basis of the information received, measures should be taken to protect the data used. One of the methods ensuring high security is the encryption of critical information.

With the use of increasingly sophisticated encryption, the attacker who wishes to gain access to the organization's sensitive information is forced to search for that information outside the system itself. One way to attack is to recover supposedly deleted data from the media. These residual data may allow unauthorised persons to completely or partially reconstruct different data and thus gain access to sensitive information. In order to avoid this, it is necessary to renovate the information carriers from time to time. The purpose of sanitization is to limit the possibility of conducting this type of attack by ensuring that deleted data cannot be easily recovered.

When data carriers are decommissioned, it is important to ensure that the deleted data cannot be recovered using special software or apparatus.

Sanitization is an essential element of the overall process of removing data from the devices where it is stored, in a way that ensures that critical information cannot be easily retrieved and reconstructed by unauthorized persons or structures.


It is important to know that the problems associated with the decommissioning of data carriers and ensuring the irreversible destruction of critical information are not related to the used devises, but concern the way the data is processed and stored.

The processes of destruction of critical files and folders, as well as the periodic renovation of free disk space depends on the type and nature of the saved information.

With the advanced functions of today's operating systems, it must be assumed that the electronic media used in the system contain information commensurate with the security categorisation of the confidentiality of the system. If not handled properly, the release of these media may result in the occurrence of unauthorised disclosure of information.

The categorization of the information technology (IT) system in accordance with the Federal Information Processing Standard (FIPS) 199, Standards for the categorization of the security of federal information and information systems, is the critical first step in understanding and managing system information and apparatus used.

Guidelines For Media Sanitization

Relationship To Government Publishing

USA Standards

Rules For The Protection Personal Data

Relationship To Other NIST Documents
( Standards for Security Categorization of Federal Information and Information, FIPS 199 )


Files and Folders Destruction Manager