This guidance is suitable for any organisation wishing to ensure that their data held on storage media can not be read by unauthorised parties after it has left organisational control.
What is sanitisation?
Any data which is sensitive to your business should be removed from the media which stored it; just hitting ‘Delete’ isn’t enough.
Sanitisation is the process of treating data held on storage media to reduce the likelihood of retrieval and reconstruction to an acceptable level. Some forms of sanitisation will allow you to re-use the media, while others are destructive in nature and render the media unusable.
When should I think about sanitising media?
There are a number of circumstances in which you’ll want to sanitise storage media:
- Re-use: When you want to allocate a device to a different user or repurpose some equipment within your organisation. You may also want to re-sell unwanted equipment so that it can be re-used elsewhere.
- Repair: You may need to return a faulty device to the vendor for repair or replacement.
- Disposal: You may wish to sanitise unwanted media before it is passed outside of your organisation — especially if you have limited confidence in the third party you have contracted to dispose of it on your behalf.
- Destruction: You may have the means to destroy some media on your own site, or you may wish to send your media off site for destruction.
In all cases, the media will be outside its normal operating environment and is therefore subject to greater risk — from a different set of users, from third parties, or from less trusted organisations and individuals.
The risks of not sanitising
If data bearing surfaces are not treated properly, sensitive data may remain. This could result in the following problems for your business:
- unknown whereabouts of sensitive data
- loss of control over your information assets
- critical data could be recovered and used by adversaries or competitors
- private or personal data about your customers or staff could be used to commit fraud or identity theft
- your intellectual property could be recovered and published openly, leading to loss of reputation and revenue
Lost or stolen equipment
While this isn’t strictly a sanitisation issue, there are technical safeguards you can use to manage the impact of loss or theft of devices containing sensitive information.
One such technique is encryption. When data is stored in encrypted form, it is safe from all but the most sophisticated threats. It is therefore important to have data at rest encryption enabled on laptops, smartphones and other mobile computing devices that are at greatest risk of loss or theft.
Sanitisation facts
- Photocopiers and printers can contain vast amounts of corporate data in their internal memory. There have been cases where gigabytes of sensitive documents were retrieved from decommissioned photocopiers by interrogating internal memory, using legal and affordable tools.
- Some monitors can contain mercury, which must be dismantled by licensed companies. A wider range of disposal options are therefore available when using monitors which do not contain mercury.
- Some commercial and municipal incinerators can have cold spots inside, and data bearing surfaces can be inadvertently protected from heat by their casings. Assure yourself that any incineration facilities you use can explain how they prevent against a failure to properly incinerate data bearing surfaces.
- Mobile destruction services exist which can visit your site and destroy your equipment in situ, thus reducing the risks of transportation and the uncertainty around how your data is handled outside organisational boundaries. Many such companies will provide itemised destruction certificates to aid with asset management.
- Solid-state disks (SSDs), such as those found in high-end laptops, are expensive and may only be worth the additional cost in some use cases. If you’re looking for a small form factor device that uses less power and is less susceptible to damage from mechanical shock, then an SSD is a good option. If, however, you don’t have these requirements then a hard disk drive (HDD) presents a more affordable option that will probably last longer and is easier to sanitise.
Managing your storage media risks
In order to best manage the risks associated with sensitive data held on storage media, you should:
- understand your data and its potential value outside your organisation
- understand the cost of sanitisation and add it to your procurement costs. Set aside some budget to address sanitisation.
- have a re-use and disposals policy in place, with key roles understood by everyone in your business
- know what technologies you are using
- retain the manufacturer manuals so you know how to sanitise your media when you need to
- record the lifecycle of your storage media (what is it being used to store, where, and for how long?)
- use trusted third parties and hold them to recognised standards
- obtain destruction certificates from third party destruction services
- ensure destruction processes and equipment are periodically tested
- verify that your data is being sanitised appropriately
- before disposal, remove all labels or markings that indicate ownership of the device (or the nature of the data contained)
Factors to guide your disposal policy
The following cost and risk considerations should be used to help inform your policy regarding the disposal of storage media:
- Consider your obligations to comply with environmental policy (for example WEEE).
- Research the availability of disposals companies, their services and their pricing schemes. Which services are they using? What is happening to your kit when it leaves your organisation?
- Consider the geographic distance; if your suppliers’ vans have to make stops en route, risks are introduced which must be managed (for example using the ‘two person rule’).
- Do your staff have the skills to dismantle some equipment onsite or to perform sanitisation on some types of equipment?
- How do you plan to get the most out of equipment during its useful life? For example, could expensive smartphones be reset and re-used within your business until they reach the end of their useful lives?
- Are there policy constraints around the donation or re-sale of certain equipment?
- How much physical storage space do you have to store end-of-life equipment, and what are the security arrangements around storage?
- How long do you need to store end-of-life equipment before accumulating a volume which is economically viable to dispose of?
- Do you have any data in the cloud? You should always seek assurance from cloud providers that your data will continue to be adequately protected from unauthorised users after a contract expires (that is, until remnants of the data are eventually overwritten).
Storage media technologies
To help your sanitisation planning, with the above considerations, we list all the major storage technologies below. We include this information simply as an aid to your thinking; you may wish to adapt to ensure your approach is suitable for the situation in your particular organisation.
a. No storage media/no data
This is equipment which has been used for operational purposes, but which does not contain any storage media.
Provided any labelling has been removed, it can be discarded with no further security considerations. It could therefore be donated, re-sold, scrapped or recycled, as necessary. Such equipment may include:
- power supply units
- transformers
- fans
- racks
- hard disk casings
- headphones
- keyboards
- mice
- antennae
- media converters (eg copper fibre)
b. Monitors and TVs
Such devices tend to contain minimal on-board storage (eg memory for buffering data), which can be sanitised easily by flushing the components through with non-sensitive data (for example, by ensuring non-sensitive data is displayed on the screen for a few minutes before powering off).
You may wish to check screens for ‘burn-in’ when decommissioning them, as any sensitive information burnt into the screen will still be legible. However, if there is no burn-in and the device has not yet reached the end of its useful life, it can be safely re-sold or donated locally once basic sanitisation procedures have been performed.
Be aware of your obligations to environmental legislation when disposing of monitors which contain mercury. Some monitors do not contain mercury, in which case those obligations are not applicable and a broader range of destruction options become available. Beyond environmental concerns, we provide no specific guidance around destruction, though care should be taken to remove any detachable media from ports (such as USB memory sticks) before disposal.
c. Office equipment, including laptops
This group covers equipment which contains several different types of data storage, but which is seldom economically viable to dismantle completely.
Note such equipment is likely to contain hard disk drives (HDDs) and solid-state disks (SSDs). Such removable storage media should be removed and handled separately.
All other components would likely stay on board the device and be subject to basic ‘re-provisioning’ (such as using a manufacturer reset) before being re-sold, loaned, donated or bulk-destroyed. Such equipment includes:
- laptops
- PCs
- cameras
- printers
- plotters
- scanners
- photocopiers
- fax machines
- telephones (both cordless and wired)
Reset techniques vary in rigour across manufacturers, so it is important to know what you purchased, and how well it can be sanitised after use. Building these considerations into procurement decisions will maximise the range of options at end-of-life.
d. Servers and other bulky data centre items
These items are usually found in machine rooms and computer halls and they include various networking IT, such as:
- servers
- routers
- receivers
- switches
- bridges
If you’re planning to re-use such devices, note they may contain encryption keys or certificates. These should be removed or revoked before re-use to render any residual business data unreadable. Performing a manufacturer’s reset is advisable, though note that reset techniques vary in rigour between manufacturers. You should ensure that potentially sensitive information such as roll-back configurations are removed by the reset function.
Since items in this group can often be bulky, their metal chassis can be scrapped/recycled to recover cost. If so, you will want to remove storage components manually for separate disposal. This may require some in-house expertise. The non-sensitive materials (such as chassis and casings) can then be disposed of locally through a scrap metal merchant, thus reducing any costs associated with the destruction and/or transportation of remaining components.
If you do not have in-house expertise available to perform any such dismantling, bear in mind that destroying in bulk may be expensive and may not adequately treat small data bearing surfaces which contain potentially large volumes of your data (and which should be destroyed to particles no larger than 6 mm).
e. Printed circuitry
Printed circuitry can be found in many devices including inside laptops, servers, media converters, network adaptors and graphics cards.
Whether these items are removed from their parent devices, discovered in a cupboard (with no obvious parent device), or procured as separate components, you will need some confidence in their safe disposal. Some components may have persistent memory (such as flash chips with high data capacity), while many will have only transient memory on board (RAM).
None of these items are likely to be re-used and all should be destroyed to fragments no larger than 6 mm. The principal aim is to ensure the silicon die in the chip’s package is broken into two or more pieces. A range of reputable products and services exist to satisfy this requirement.
f. Cheap, small, single purpose, easy to destroy media
This group contains a large range of different equipment types, all of which are lightweight and easy to destroy in-house. They include:
- DVDs
- CDs
- BluRay discs
- smartcards
- swipe & PIN cards
- chip & PIN cards
- ID cards
Some equipment in this group is very easy to attribute to the organisation to which it belongs and may contain personal data, such as ID cards. Therefore you should consider disposing of some of these items in-house without relying on third parties. This is not difficult to do; items could typically be destroyed using an affordable destruction device such as an office shredder or disintegrator. In the case of optical disk, fragments no larger than 6 mm are generally recommended.
g. Hard disk drives (HDDs)
HDDs are designed to be removed from their parent devices, and should always be treated separately because of the large volumes of data present on them.
You must identify whether a HDD contains solid-state components (such as hybrid drives) or is in fact not a HDD at all; it might be an SSD such as that found in high-end laptops and servers. Knowing what you’ve bought, keeping the manufacturers’ specifications to hand, and having some in-house expertise to make the right judgment calls are all important.
Assured data erasure products exist for HDDs (see our list of certified data erasure products), and can be used to enable extensive re-use within your business during an HDD’s lifespan.
HDDs can contain vast quantities of corporate data and as such are highly attractive to anyone wishing to disrupt or embarrass your business. Degaussing* of magnetic media should therefore be considered prior to physical destruction. As with other magnetic media technologies, degaussing considerably reduces the risk of data recovery if devices fall into the wrong hands during transportation. So, degaussing can also deliver flexibility around storage and transportation options — potentially saving on costs.
Ultimately, HDDs which have held sensitive information should be degaussed and then have their platters broken into at least four roughly equal-sized pieces.
Degaussing uses a strong magnetic field to remove data from magnetic storage devices. It is generally a destructive technique in that renders most types of magnetic memory unusable afterwards, with the exception of some types of magnetic tape. It can only be used with magnetic storage devices and is not suitable for any other technology.
Degaussing is not generally used as the sole destruction method. This is because it is impractical to verify that every device has been degaussed successfully. Also, there is still a reputational risk associated with disposing of devices which appear intact and do not indicate any attempts to destroy them.
That said, if implemented correctly, degaussing is an extremely robust technique of data sanitisation and may be considered an effective destruction procedure in itself. However, this depends upon having full confidence in your degaussing process. At worst, degaussing provides the opportunity to use less stringent physical destruction procedures than would otherwise be necessary, and may allow owners to store and transport devices in a less secure manner than would otherwise be required.
Data on all types of magnetic media can be erased using a degausser, provided the degausser:
- exerts a strong enough magnetic field (we recommend you compare the magnetic fields generated by the degausser with the stated coercivity of the tapes)
- is working properly
- is operated according to the manufacturer’s procedures
h. Other magnetic media technologies
Other types of magnetic media technologies include:
- magnetic tape cartridges
- floppy disks
- cassettes
- DAT
- VHS tapes
- LTO
- DV cassettes
- reel-to-reel tapes
Such media can store very large quantities of data and can often feature in stockpiling problems.
Cartridge tapes are typically used to archive data and may therefore contain not only large quantities of data but also data on a broad range of topics (due to ‘striping’, the way which most backup software functions). They are therefore attractive to adversaries and, because of their flimsy form factor, are often overlooked by system owners as being high risk.
These media should also be degaussed*.
i. Solid-state disk (SSD) and hybrid drives (HDD+SSD)
Solid-state disk (SSD) is used instead of magnetic HDD in high-end laptops, PCs and some high capacity data centre storage equipment. SSDs can store very large amounts of user data and cannot be overwritten with the same degree of assurance as an HDD. It is also much more expensive than HDD. However, where SSD is necessary, it is naturally important to get the most out of it during its life.
It is important to use encryption so that the problem of partial erasure does not incur exorbitant cost or unacceptable risks at end-of-life. Encryption is also important when considering re-use across your estates, since removing the key will render the content of the SSD unreadable (assuming contemporary industry-standard encryption is used), thus allowing for re-use in different (or less secure) environments.
Sanitising solid-state memory
Solid-state/flash memory is difficult to sanitise to the same degree as magnetic memory. There is no single data erasure product on the market which caters for all brands. Each manufacturer builds solid-state memory in a different way, embedding software into the chip which controls the mapping of logical addresses to physical addresses, and vice versa.
Algorithms vary between manufacturers, each attempting to optimise the speed with which data is written and read, and improving the lifespan of the memory by monitoring it for faulty blocks. At times, user data can be stored in parts of the chip not accessible to the user.
In cases where a manufacturer of a flash chip also provides a data erasure tool, sanitisation can be very effective. In other cases, it is impossible to assure yourself that all your data has been erased.
j. Other flash-based media
‘Other flash-based media’ includes all persistent solid-state storage technologies apart from SSD above. Examples include:
- USB thumb drives
- SD/microSD cards
- Flash chips (where not soldered to printed circuitry)
These are generally inexpensive and can be destroyed locally using an affordable office shredder or disintegrator designed to produce particles no greater than 6 mm. As with SSD, it is almost impossible to remove every bit of user data from these devices, so thorough destruction must take place at end-of-life to avoid residual data from posing a risk to your business.
As with all flash memory, the aim of destruction is to cut through the silicon die within the chip’s package to prevent it from being read by commonly available tools.
k. Smartphones, tablets and notebooks
Smartphones, tablets and notebooks contain solid-state storage as described above, the difference being that the drive cannot usually be removed. It is therefore economically prudent to make full use of such devices during their useful life, since it may not always be desirable to re-sell them outside your organisational boundaries.
Again, the use of encryption is important — the manufacturer’s reset achieves a high level of assurance that the data cannot be easily recovered. Through the use of the manufacturer’s reset, encryption keys are wiped and such devices can therefore be re-used multiple times throughout your business, until eventually being destroyed to a particles no greater than 6 mm.
Re-provisioning devices
Different smartphones and tablets (and the operating systems that run on them) have subtly different methods for re-provisioning. Some methods offer stronger assurance of sanitisation than others.
It is important to note that as long as encryption has been enabled from the outset, all manufacturer reset options will sanitise sensitive business data to a satisfactory level of assurance. If your data is especially sensitive, you may wish to reduce risk further by overwriting the entire user memory space with garbage data before invoking the manufacturer reset.
More information
For more detailed information see:
Source: NCSC
