Before ditching or donating that used computer, CD or other data-storage media, sensitive or personal information should be properly "sanitized," according to a new guide from the National Institute of Standards and Technology (NIST). Information systems store information using a wide variety of media, including "hard" copy, such as paper printouts and facsimile ribbons, and electronic media, including cell phones, CDs or DVDs, and hard drives. Even if stored data supposedly has been deleted, in many cases residual data can be retrieved and reconstructed.
The NIST guide, Guidelines for Media Sanitization (NIST Special Publication 800-88), provides information on techniques to remove data from a wide variety of media types and a decision matrix to determine which technique is best. The guide recommends that organizations first determine the confidentiality of the information and then decide how to dispose of the media.
The guide describes the three most common methods of sanitizing media:
- Clearing using software or hardware products to overwrite storage space on the media with non-sensitive data.
- Purging magnetic media through degaussing, exposure to a strong magnetic field to disrupt the magnetically encoded information.
- Destroying the media through a variety of methods ranging from shredding to melting and incineration.
The guide also recommends that organizations establish an information security governance structure, and describes the security responsibilities of everyone in the organization—from program managers and agency heads to users.
Guidelines for Media Sanitization is available at http://csrc.nist.gov/publications/nistpubs/index.html.