From the NIST Standards
National Institute of Standards and Technology Description:
CSL BULLETIN
Advising users on computer systems technology
DISPOSITION OF SENSITIVE AUTOMATED INFORMATION
Sanitization means the removal of data from storage media so that, for all practical purposes, the data cannot be retrieved. Some instances in which sanitization must be considered include whenever media is transferred from one organization to another, when equipment is declared surplus, and when organizations dispose of media.
Sanitization: Why Be Concerned?
In the past, reports have surfaced that federal agencies have disposed of surplus information technology (IT) equipment without taking appropriate measures to erase the information stored on the system’s media. This can lead to the disclosure of sensitive information, embarrassment to the agency, costly investigations, and other consequences which could have been avoided.
Employees throw away old diskettes believing that “erasing” the files on the diskette has made the data unretrievable. In reality, however, “erasing” a file simply removes the “pointer” to that file. The pointer tells the computer where the file is physically stored on the disk. Without this pointer, the files will not appear on a directory listing of the diskette's files. This does not mean that the file was removed from the diskette. (Commonly available utility programs can often retrieve information that is presumed “deleted.”) Fortunately, with foresight and appropriate planning, these situations can be avoided.
Techniques for Media Sanitization
Three techniques are commonly used for media sanitization: overwriting, degaussing, and destruction. Overwriting and degaussing are the methods recommended for disposition of sensitive automated information. (Users of classified systems may also have to be concerned with data remanence. This refers to the residual information left behind once media has been in some way erased.) Security officers should be consulted for appropriate guidance.
Overwriting
Overwriting is an effective method of clearing data from magnetic media. As the name implies, overwriting utilizes a program to write (1s, 0s, or a combination of both) onto the location of the media where the file to be sanitized is located. The number of times that media is overwritten depends on the level of sensitivity of the information. Overwriting should not be confused with merely deleting the pointer to a file, as discussed above.
Degaussing
Degaussing is a method to magnetically erase data from magnetic media. Two types of degaussers exist: strong magnets and electric degaussers. Degaussers are tested by the Department of Defense; those which meet their requirements are placed on the Degausser Products List (DPL) of the National Security Agency’s (NSA) Information Systems Security Products and Services Catalogue.
Destruction
The final method of sanitization is destruction of the media. NCSC-TG-025 provides specifics on this method and its applicability. Shredding diskettes, after removing the outer protective casing, is also an option for unclassified media.
Employee Training and Awareness
Most employees who utilize IT systems also use, and in fact are often the custodians of, magnetic media. It is therefore important for agencies to give the issue of media sanitization appropriate attention in the agency computer security training and awareness program.
Employees should understand the following essential elements:
1. Media containing sensitive information should not be released without appropriate sanitization.
2. File deletion functions (e.g., the DEL command on MS-DOS) usually can be expected to remove only the pointer to a file (i.e., the file is often still recoverable).
3. When data is removed from storage media, every precaution should be taken to remove duplicate versions that may exist on the same or other storage media, back-up files, temporary files, hidden files, or extended memory.
4. Media in surplus equipment should be sanitized.
