If you are dealing with used mobile devices, you may have heard of data erasure standards like DoD (the U.S. Department of Defense), NIST (National Institute of Standards and Technology), ADISA (Asset Disposal & Information Security Alliance), and R2. Are you following the right wiping standard? Let’s find out!
The DoD standard
The “DoD standard” was issued by the National Industrial Security Program (NISP). It is generally applicable in the United States and establishes the standard procedures and requirements for all the US federal Executive Branch Departments and Agencies and all government contractors, who deal with classified information. The current version of the standard DoD 5220.22-M “National Industry Security Program Operating Manual (NISPOM)1 covers the entire field of government–industrial security.
In 2014, the DoD decided to use NIST’s RMF standards requiring a combination of wiping following NIST SP 800-88 guideline and physical destruction. In a DoD Instruction memo (8510.01)2 The Department of Defence approves this standard for the first time for civilian media sanitization.
The NIST standard
NIST Special Publication 800-88 “Guidelines for Media Sanitization” was published in 2006 by the National Institute of Standards and Technology (NIST) to protect the privacy of organizations and citizens of the US. The current update was issued in 2012. It promotes guidelines for sanitizing data by the overwriting, secure erasure, and physical destruction methods for all industries. Over the past few years, NIST SP 800-88 has replaced the DoD standard becoming the dominant data wiping standard for the US.
According to the NIST SP 800-88, there are three of the most common methods of media sanitization devices such as cell phones:
Clearing is the process of overwriting the logical storage location of a file with non-sensitive data and all addressable locations by using software or hardware products. Written data is replaced with random data and verified. This method cannot be used for damaged or not rewritable media. Clearing would protect the confidentiality of information against a robust keyboard attack.
Purging protects the confidentiality of information against a laboratory attack. Purge implies physical or logical techniques to provide a more thorough level of sanitization than Clear. This method is used for more confidential data. Typically, this type of media sanitizing is considered the golden standard by the National Security Agency (NSA).
Destroying makes it possible to destroy the media, so they will be able to withstand a laboratory attack. Recommended types for cell phone destruction are shred, disintegrate, pulverize and incinerate by burning cell phones in a licensed incinerator.
NS software invokes the inbuilt factory reset setting as per NIST 800-88 paragraph 4 (4.6), such that all user data is erased.
This solution wipes the data using next methods:
- Apple iPhone and iPad (current generation and future iPhones and iPads) - method "Clear" and "Purge"
- Devices running the Google Android OS (connect to power before starting encryption) - method "Clear"
The NS software also meets the R2 standard to ensure the quality of data erasure of the electronics recycling facilities.
The ADISA Industry Standards apply to companies that participate in the IT asset recovery and disposal, leasing, logistics, repairs. The ADISA audit process includes unannounced operational audits and forensic audits. It accepts the highest industry standards and reflects current best practices for handling data carrying assets.
NSYS Tools erasure methods have successfully passed testing attacks using ADISA Product Claims Test Method v1.0 in 2018 and have received certification by ADISA confirming that NSYS Erasure software can be used to sanitize data against ADISA risk levels 1 and 2.
Want to implement our solution for data erasure? Contact us for more details.