MEDIA SANITIZATION TECHNIQUES
NIST SP 800-88
SUMMARY
NIST SP 800-88
Information systems capture, process and store information using a wide variety of devices. This information resides not only on storage media but also on those used to create, process or transmit the information.
Each of the devices used requires a special injunction to reduce the risk of unauthorized disclosure of information and to ensure its confidentiality. Effective management of the critical data that is created, processed and stored by an information technology (IT) system throughout its life, from inception to decommissioning, is a major concern of the owner of the information system and the employees responsible for such management.
|
|
In order to reduce the risk of unauthorized disclosure of information and to ensure its confidentiality, it is necessary to carry out systematic operational control of the devices used. On the basis of the information received, measures should be taken to protect the data used. One of the methods ensuring high security is the encryption of critical information.
With the use of increasingly sophisticated encryption, the attacker who wishes to gain access to the organization's sensitive information is forced to search for that information outside the system itself. One way to attack is to recover supposedly deleted data from the media. These residual data may allow unauthorised persons to completely or partially reconstruct different data and thus gain access to sensitive information. In order to avoid this, it is necessary to renovate the information carriers from time to time. The purpose of sanitization is to limit the possibility of conducting this type of attack by ensuring that deleted data cannot be easily recovered.
When data carriers are decommissioned, it is important to ensure that the deleted data cannot be recovered using special software or apparatus.
Sanitization is an essential element of the overall process of removing data from the devices where it is stored, in a way that ensures that critical information cannot be easily retrieved and reconstructed by unauthorized persons or structures.
OBJECTIVES AND SCOPE OF DIGITAL DATA RENOVATION
It is important to know that the problems associated with the decommissioning of data carriers and ensuring the irreversible destruction of critical information are not related to the used devises, but concern the way the data is processed and stored.
The processes of destruction of critical files and folders, as well as the periodic renovation of free disk space depends on the type and nature of the saved information.
With the advanced functions of today's operating systems, it must be assumed that the electronic media used in the system contain information commensurate with the security categorisation of the confidentiality of the system. If not handled properly, the release of these media may result in the occurrence of unauthorised disclosure of information.
The categorization of the information technology (IT) system in accordance with the Federal Information Processing Standard (FIPS) 199, Standards for the categorization of the security of federal information and information systems, is the critical first step in understanding and managing system information and apparatus used.
Guidelines For Media Sanitization
- ISO 10116: Information Processing — Modes of Operation for an n-bit block cipher algorithm.
- ISO 9798-2: Information technology — Security technicues — Entity authentication mechanisms — Part 2: Entity authentication using symmetric techniques.
ISO 10118-2: Information technology — Security technicues — Hash-functions — Part 2: Hash-functions using an n-bit block cipher algorithm.
ISO 11770-2: Information technology — Security technicues — Key management — Part 2: Key management mechanisms using symmetric techniques.
Relationship To Government Publishing
- TITLE 50 - WAR AND NATIONAL DEFENSE.
- TITLE 44 - PUBLIC PRINTING AND DOCUMENTS.
- CHAPTER 35 - COORDINATION OF FEDERAL INFORMATION POLICY.
- NSC-63 - PRESIDENTIAL DECISION DIRECTIVE/NSC-63 (PDD-63 1998 г., Hspd-8 2003 г.).
- H.R.145 - 100th Congress (1987-1988).
- NSDD 145 - National Security Decision Directive.
- 10450 - Security requirements for government employees.
- 10501 - Safeguarding official information in the interests of the defense of the United States.
- 10865 - Safeguarding classified information within industry.
- 12829 - National industrial security program.
- 12968 - Access to classified information.
USA Standards
- Encryption - Data Encryption Standard (DES) - FIPS 46-3.
- Encryption - DES Modes of Operation - FIPS 81.
- Encryption - Advanced Encryption Standard (AES) - FIPS 197 (with keys sizes of 128 and 256 bits).
- Hashing - Advanced Encryption Standard (AES) - FIPS 197 (with keys sizes of 128 and 256 bits).
- Guidelines on Electronic - Advanced Encryption Standard (AES) - FIPS 197 (with keys sizes of 128 and 256 bits).
Rules For The Protection Personal Data
Relationship To Other NIST Documents
( Standards for Security Categorization of Federal Information and Information, FIPS 199 )
- NIST SP 800-60, (Guide for Mapping Types of Information and Information Systems to Security Categories) provides guidance for establishing the security categorization
for a system’s confidentiality. This categorization will impact the level of assurance an organization should require in making sanitization decisions.
- FIPS 200, (Minimum Security Requirements for Federal Information and Information
Systems) sets a base of security requirements that requires organizations to have a media sanitization program.
- NIST SP 800-53, (Recommended Security Controls for Federal Information Systems)
provides minimum recommended security controls, including sanitization, for Federal systems
based on their overall system security categorization.
- NIST SP 800-53A, (Guide for Assessing the Security Controls in Federal Information
Systems) provides guidance for assessing security controls, including sanitization, for federal
systems based on their overall system security categorization.
Files and Folders Destruction Manager
FDM II