MEDIA SANITIZATION TECHNIQUES
SUMMARY
|
|
In order to reduce the risk of unauthorized disclosure of information and to ensure its confidentiality, it is necessary to carry out systematic operational control of the devices used. On the basis of the information received, measures should be taken to protect the data used. One of the methods ensuring high security is the encryption of critical information.
With the use of increasingly sophisticated encryption, the attacker who wishes to gain access to the organization's sensitive information is forced to search for that information outside the system itself. One way to attack is to recover supposedly deleted data from the media. These residual data may allow unauthorised persons to completely or partially reconstruct different data and thus gain access to sensitive information. In order to avoid this, it is necessary to renovate the information carriers from time to time. The purpose of sanitization is to limit the possibility of conducting this type of attack by ensuring that deleted data cannot be easily recovered.
When data carriers are decommissioned, it is important to ensure that the deleted data cannot be recovered using special software or apparatus.
Sanitization is an essential element of the overall process of removing data from the devices where it is stored, in a way that ensures that critical information cannot be easily retrieved and reconstructed by unauthorized persons or structures.
OBJECTIVES AND SCOPE OF DIGITAL DATA RENOVATION
It is important to know that the problems associated with the decommissioning of data carriers and ensuring the irreversible destruction of critical information are not related to the used devises, but concern the way the data is processed and stored.
The processes of destruction of critical files and folders, as well as the periodic renovation of free disk space depends on the type and nature of the saved information.
With the advanced functions of today's operating systems, it must be assumed that the electronic media used in the system contain information commensurate with the security categorisation of the confidentiality of the system. If not handled properly, the release of these media may result in the occurrence of unauthorised disclosure of information.
The categorization of the information technology (IT) system in accordance with the Federal Information Processing Standard (FIPS) 199, Standards for the categorization of the security of federal information and information systems, is the critical first step in understanding and managing system information and apparatus used.
Guidelines For Media Sanitization
- ISO 10116: Information Processing — Modes of Operation for an n-bit block cipher algorithm.
- ISO 9798-2: Information technology — Security technicues — Entity authentication mechanisms — Part 2: Entity authentication using symmetric techniques.
Relationship To Government Publishing
- TITLE 50 - WAR AND NATIONAL DEFENSE.
- TITLE 44 - PUBLIC PRINTING AND DOCUMENTS.
- CHAPTER 35 - COORDINATION OF FEDERAL INFORMATION POLICY.
- NSC-63 - PRESIDENTIAL DECISION DIRECTIVE/NSC-63 (PDD-63 1998 г., Hspd-8 2003 г.).
- H.R.145 - 100th Congress (1987-1988).
- NSDD 145 - National Security Decision Directive.
- 10450 - Security requirements for government employees.
- 10501 - Safeguarding official information in the interests of the defense of the United States.
- 10865 - Safeguarding classified information within industry.
- 12829 - National industrial security program.
- 12968 - Access to classified information.
USA Standards
- Encryption - Data Encryption Standard (DES) - FIPS 46-3.
- Encryption - DES Modes of Operation - FIPS 81.
- Encryption - Advanced Encryption Standard (AES) - FIPS 197 (with keys sizes of 128 and 256 bits).
- Hashing - Advanced Encryption Standard (AES) - FIPS 197 (with keys sizes of 128 and 256 bits).
- Guidelines on Electronic - Advanced Encryption Standard (AES) - FIPS 197 (with keys sizes of 128 and 256 bits).
Rules For The Protection Personal Data
- Privacy Act of 1974 - Privacy Act of 1974.
- Privacy Act of 1980 - Privacy Protection Act of 1980.
- Directive 95/46/EC - Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995.
- DProtection - Data Protection of personal data in the European Union.
- Directive 95/46/EC - Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995.
- Safeguarding privacy in a connected world - A Europe Data Protection Framework for the 21 century.
- General Data Protection Regulation - (EU) 2016/679 ("GDPR").
Relationship To Other NIST Documents
- NIST SP 800-60, (Guide for Mapping Types of Information and Information Systems to Security Categories) provides guidance for establishing the security categorization for a system’s confidentiality. This categorization will impact the level of assurance an organization should require in making sanitization decisions.
- FIPS 200, (Minimum Security Requirements for Federal Information and Information Systems) sets a base of security requirements that requires organizations to have a media sanitization program.
- NIST SP 800-53, (Recommended Security Controls for Federal Information Systems) provides minimum recommended security controls, including sanitization, for Federal systems based on their overall system security categorization.
- NIST SP 800-53A, (Guide for Assessing the Security Controls in Federal Information Systems) provides guidance for assessing security controls, including sanitization, for federal systems based on their overall system security categorization.
Files and Folders Destruction Manager
FDM II