Example: air traffic controller

Guidelines for Media Sanitization - NIST

NIST Special Publication 800-88. Revision 1. Guidelines for Media Sanitization Richard Kissel Andrew Regenscheid Matthew Scholl Kevin Stine This publication is available free of charge from: C O M P U T E R S E C U R I T Y. NIST Special Publication 800-88. Revision 1. Guidelines for Media Sanitization Richard Kissel Andrew Regenscheid Matthew Scholl Kevin Stine Computer Security Division Information Technology Laboratory This publication is available free of charge from: December 2014. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Willie May, Acting Under Secretary of Commerce for Standards and Technology and Acting Director Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Management Act of 2002 (FISMA), 44 3541 et seq.

NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization. Executive Summary The modern storage environment is rapidly evolving. Data may pass through multiple

Tags:

  Media, Guidelines, Sanitization, Guidelines for media sanitization

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of Guidelines for Media Sanitization - NIST

1 NIST Special Publication 800-88. Revision 1. Guidelines for Media Sanitization Richard Kissel Andrew Regenscheid Matthew Scholl Kevin Stine This publication is available free of charge from: C O M P U T E R S E C U R I T Y. NIST Special Publication 800-88. Revision 1. Guidelines for Media Sanitization Richard Kissel Andrew Regenscheid Matthew Scholl Kevin Stine Computer Security Division Information Technology Laboratory This publication is available free of charge from: December 2014. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Willie May, Acting Under Secretary of Commerce for Standards and Technology and Acting Director Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Management Act of 2002 (FISMA), 44 3541 et seq.

2 , Public Law 107-347. NIST is responsible for developing information security standards and Guidelines , including minimum requirements for Federal information systems, but such standards and Guidelines shall not apply to national security systems without the express approval of appropriate Federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III, Security of Federal Automated Information Resources. Nothing in this publication should be taken to contradict the standards and Guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority.

3 Nor should these Guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other Federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST. National Institute of Standards and Technology Special Publication 800-88 Revision 1. Natl. Inst. Stand. Technol. Spec. Publ. 800-88 Revision 1, 64 pages (December 2014). CODEN: NSPUE2. This publication is available free of charge from: Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately.

4 Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by Federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, Guidelines , and procedures, where they exist, remain operative. For planning and transition purposes, Federal agencies may wish to closely follow the development of these new publications by NIST.

5 Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. All NIST Computer Security Division publications, other than the ones noted above, are available at Comments on this publication may be submitted to: National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930. Email: ii Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the economy and public welfare by providing technical leadership for the Nation's measurement and standards infrastructure.

6 ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL's responsibilities include the development of management, administrative, technical, and physical standards and Guidelines for the cost-effective security and privacy of other than national security-related information in Federal information systems. The Special Publication 800-series reports on ITL's research, Guidelines , and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations. Abstract Media Sanitization refers to a process that renders access to target data on the Media infeasible for a given level of effort.

7 This guide will assist organizations and system owners in making practical Sanitization decisions based on the categorization of confidentiality of their information. Keywords Media Sanitization ; ensuring confidentiality; Sanitization tools and methods; Media types; mobile devices with storage; crypto erase; secure erase Acknowledgements The authors would like to thank Steven Skolochenko and Xing Li for their contributions to the original version of this publication. The authors would also like to thank Jim Foti for his exceptional editing skills and thorough review of this document his work made this a much better document. Kudos to each of the individuals and organizations who provided comments on this revision. It is a more accurate and usable document due to their contributions.

8 Iii NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization Executive Summary The modern storage environment is rapidly evolving. Data may pass through multiple organizations, systems, and storage Media in its lifetime. The pervasive nature of data propagation is only increasing as the Internet and data storage systems move towards a distributed cloud-based architecture. As a result, more parties than ever are responsible for effectively sanitizing Media and the potential is substantial for sensitive data to be collected and retained on the Media . This responsibility is not limited to those organizations that are the originators or final resting places of sensitive data, but also intermediaries who transiently store or process the information along the way.

9 The efficient and effective management of information from inception through disposition is the responsibility of all those who have handled the data. The application of sophisticated access controls and encryption help reduce the likelihood that an attacker can gain direct access to sensitive information. As a result, parties attempting to obtain sensitive information may seek to focus their efforts on alternative access means such as retrieving residual data on Media that has left an organization without sufficient Sanitization effort having been applied. Consequently, the application of effective Sanitization techniques and tracking of storage Media are critical aspects of ensuring that sensitive data is effectively protected by an organization against unauthorized disclosure.

10 Protection of information is paramount. That information may be on paper, optical, electronic or magnetic Media . An organization may choose to dispose of Media by charitable donation, internal or external transfer, or by recycling it in accordance with applicable laws and regulations if the Media is obsolete or no longer usable. Even internal transfers require increased scrutiny, as legal and ethical obligations make it more important than ever to protect data such as Personally Identifiable Information (PII). No matter what the final intended destination of the Media is, it is important that the organization ensure that no easily re-constructible residual representation of the data is stored on the Media after it has left the control of the organization or is no longer going to be protected at the confidentiality categorization of the data stored on the Media .


Related search queries