If you are dealing with used mobile devices, you may have heard of data erasure standards like DoD (the U.S. Department of Defense), NIST (National Institute of Standards and Technology), ADISA (Asset Disposal & Information Security Alliance) and R1-R2. Are you following the right wiping standard?
The “DoD standard” was issued by the National Industrial Security Program (NISP). It is generally applicable in the United States and establishes the standard procedures and requirements for all the US federal Executive Branch Departments and Agencies and all government contractors located within the United States and its territories who deal with classified information. The current version of the standard DoD 5220.22-M “National Industry Security Program Operating Manual (NISPOM)1 covers the entire field of government–industrial security.
In 2014, the DoD decided to use NIST’s RMF standards requiring a combination of wiping following NIST SP 800-88 guideline and physical destruction. In a DoD Instruction memo (8510.01)2 The Department of Defence approves for the first time this standard for civilian media sanitisation.
NIST Special Publication 800-88 “Guidelines for Media Sanitization”3 was published in 2006 by the National Institute of Standards and Technology (NIST) to protect the privacy of organisations and citizens of the US. The current update was issued in 2012, and it promotes guidelines for sanitising electronic media by overwriting, secure erasure, and physical destruction methods for all industries. Over the past few years, NIST SP 800-88 has replaced the DoD standard becoming the dominant data wiping standard for the US.
According to the NIST SP 800-88, there are three of the most common methods of media sanitization devices such as cell phones:
Clearing is the process of overwriting with non-sensitive data the logical storage location of a file and all addressable locations by using software or hardware products. Written data are replaced with random data and verified. This method cannot be used for damaged or not rewriteable media. Clearing would protect the confidentiality of information against a robust keyboard attack.
Purging protects the confidentiality of information against a laboratory attack. The magnetic field generated by a degausser removes the data from the device with the verification after. Degaussing an effective method for purging damaged media or media with exceptional storage capacities. Typically, this type of media sanitising is considered the golden standard by the National Security Agency (NSA).
Destroying make it possible to destroy the media, so they will be able to withstand a laboratory attack. Recommended types for cell phone destruction are shred, disintegrate, pulverise and incinerate by burning cell phones in a licensed incinerator.
Certified NSYS Erasure methods support high standards of the industry regulations such as NIST SP 800-88 (Rev. 1) “Guidelines for Media Sanitization” and use Clear and Purge methods, also meets R2 standard to ensure the quality, transparency, and environmental and social responsibility of R2 certified electronics recycling facilities.
The ADISA Industry Standards apply to companies that participate in IT asset recovery, leasing, logistics, repair centre and the IT Asset Disposal Standard. The ADISA audit process includes unannounced operational audits and forensic audits. It accepts the highest industry standards and reflects current best practices for handling data-carrying assets.
NSYS Tools erasure methods have successfully passed testing attack using ADISA Product Claims Test Method v1.0 in 2018 and have received certification by ADISA confirming that NSYS Erasure software can be used to sanitise data against ADISA risk levels 1 and 2.
- National Industrial Security Program Operating Manual (NISPOM), February 2006, Incorporating Change 1 March 28, 2013
- Department of Defense Instruction 8510.01, March 12, 2014, Incorporating Change 1, Effective May 24, 2016
- NIST Special Publication 800-88, Revision 1, Guidelines for Media Sanitization