The Different Compliance Standards for Data Destruction

Understanding and meeting compliance requirements is crucial for safeguarding sensitive information and ensuring data protection. This is more than a regulatory necessity; it’s a fundamental pillar for safeguarding your most sensitive information.

In this article, we will unravel the significance of four key guidelines: NIST SP 800-88r1, IEEE 2883-2022, NSA/CSS – 9-12, and DIN 66399. We will explain what each one says, decode their implications, and shed light on the measures you will have to uphold data security levels. We will then cover the different sanitization methods and how they can be used for data deletion and explore various options for storage media, including optical media and magnetic media data.

Compliant Data Protection

Compliance is the bedrock for establishing and maintaining robust security measures. So, if you want to safeguard sensitive information, it’s best to adhere to established standards, regulations, and guidelines. So, let’s quickly explore why they can be so pivotal for ensuring effective data protection.

Legal and Regulatory Framework

Compliance with data protection laws and regulations (like the General Data Protection Regulation or GDPR, HIPAA, or CCPA) is crucial. These frameworks outline specific requirements for the collection, storage, and processing of personal and sensitive data. So, if you don’t adhere to these mandates, you can face severe penalties.

Data Lifecycle Management

Compliance standards provide guidelines for the entire data lifecycle—from creation and processing to storage and destruction. This holistic approach helps ensure that data is handled securely at every stage, reducing the likelihood of unauthorized access or inadvertent exposure.

Building Trust with Stakeholders

Adherence to compliance standards builds trust with customers, clients, and partners. Demonstrating a commitment to following recognized and respected guidelines can reassure stakeholders that their data is handled responsibly. This trust is invaluable for maintaining positive relationships and a reputable brand image.

Standardization of Best Practices

Compliance frameworks often include best practices for data protection, too. These best practices serve as a blueprint for organizations, offering standardized approaches to encryption, access controls, data classification, and other critical elements of cybersecurity.

Risk Mitigation

Most compliance frameworks also usually incorporate risk assessment and management components. For instance, a company adhering to a data protection standard may routinely assess potential vulnerabilities in its IT infrastructure, identify potential threats, and manage these risks to prevent data breaches. This proactive stance is essential for preventing data breaches and minimizing the impact of security incidents.

Adaptability to Evolving Threats

Compliance frameworks are also frequently updated to address emerging threats and technological advancements. By adhering to these evolving standards, your organization can stay ahead of cyber threats, implementing measures that are not only relevant today but also adaptable to future challenges.

International Business Considerations

As we live in an increasingly globalized world, compliance with international data protection standards is essential for organizations that want to conduct business across borders. Achieving and maintaining compliance facilitates smoother operations in diverse regulatory environments.

The Four Main Guidelines

As mentioned, four key guidelines relate to confidential data, data centers, and protection classes: NIST SP 800-88, IEEE 2883-2022, NSA/CSS – 9-12, and DIN 66399. So, let’s look at each of them in some detail.

NIST SP 800-88: Guidelines for Media Sanitization

NIST SP 800-88, officially titled Guidelines for Media Sanitization, is a publication by the National Institute of Standards and Technology (NIST) within the United States Department of Commerce. Released as a revision to the original NIST SP 800-88, this document outlines comprehensive guidelines for the secure and effective sanitization of media containing sensitive information.

NIST SP 800-88r1 is widely recognized and adopted, not only by the U.S. government but also by private-sector organizations globally.

Scope and Applicability

The guidelines cover a wide range of media types, including hard disk drives, solid-state drives, magnetic tapes, optical media, and more. The document is also designed to be applicable to various sectors, including government, healthcare, finance, and industry.

The NIST SP 800-88 guidelines include decision flowcharts to assist organizations in selecting the most appropriate sanitization method based on factors such as the sensitivity of the information, the type of media, and the risk of unauthorized access. Proper documentation of the sanitization process is also vital, including the recording of the method used, verification steps, and any exceptions or deviations from the standard process.

Categorization of Sanitization Methods

NIST SP 800-88 categorizes sanitization methods into three levels based on the effectiveness of the technique and the nature of the information being protected. These levels are Clear, Purge, and Destroy.

1. Clear: This applies to media where protection against non-invasive data recovery methods is required. This involves overwriting the data using standard software or hardware methods.
2. Purge: Appropriate for protecting against laboratory attack methods. Purge involves making the data recovery impractical using advanced techniques, such as degaussing (magnetic erasing) or physical destruction of the media. In this context, the MediaVise Dual Sanitizer proves highly effective. This innovative solution degausses an HDD (wiping the data) and then crushes it with 20 tons of force for irrecoverable destruction. 
3. Destroy: Reserved for situations where the data must be rendered essentially unrecoverable. This may involve physical destruction, such as shredding or disintegration. The MediaDice All Media Disintegrator A10 is perfect for this standard as it shreds any media type down to a 10mm x 10mm particle size.

IEEE 2883-2022: Standard for the Secure Deletion of Electronic Storage Media

The IEEE Standard for Sanitizing Storage (or IEEE 2883-2022) focuses on guidelines for erasing data stored in media. In other words, it delineates procedures for sanitizing both logical and physical storage, offering technology-specific requirements and guidance for the obliteration of recorded data.

This standard was developed after the National Institute of Standards and Technology issued NIST Special Publication 800-88, Rev. 1, “Guidelines for Media Sanitization,” in 2014 (which we covered above).

Scope and Applicability

Now, NIST SP 800-88 remains a widely used standard across the world. However, IEEE can be seen as a necessary continuation. IEEE 2883-2022, for instance, aims to fill in the gap left since NIST standards were last revised. For example, they include guidelines for sanitizing (or removing data from) SCSI, SATA, and NVMe drives, as well as new capabilities like resetting write pointers, clearing NVMe buffers, or restoring depopulated elements.

Categorization of Sanitization Methods

IEEE 2883-2022 contains clear language and instructions by type of sanitization used. For example, it explains whether degaussers or shredders can achieve Clear, Purge, or Destruct-level sanitization effectively.

Similarly to NIST, IEEE classified data into three media type categories: Clear, Purge, and Destruct.

1. Clear: Non-intrusive data erasing via software, this method utilizes logical techniques to erase all data from user-accessible storage locations. Clear sanitization is widely supported by most devices. However, this is not a secure data destruction practice as data forensics can recover cleared data. That is why we recommend physically destructing data instead.
2. Purge: Employing either logical or physical methods, Purge ensures complete data removal, making it practically impossible for even a specialist using advanced laboratory techniques to recover data. Though data recovery becomes unfeasible, the storage media and device remain reusable. An example of a method compliant with NIST (National Institute of Standards and Technology) guidelines for data purging is the use of secure erasure software that meets the NIST Special Publication 800-88 standards.
3. Destruct: This category involves techniques like disintegration or incineration, rendering devices unusable after the process. Again, the MediaDice All Media Disintegrator A10 is perfect for this standard as it shreds any media type down to a 10mm x 10mm particle size. With a small particle size as the final product the devices are unusable after the process. 

NSA/CSS – 9-12: Storage Device Declassification Manual

This standard includes guidance for the sanitization of storage devices for recycling or disposal. The information contained in them can be TOP SECRET data security level or UNCLASSIFIED data security level and may or may not include sensitive, compartmented, or limited-distribution material.

NSA/CSS – 9-12 also provides instructions for obtaining NSA/CSS Evaluated Product Lists (and lists of hard disk drive crushers that meet the specifications).

Procedures

The NSA/CSS – 9-12 manual includes procedures for magnetic storage devices, optical storage devices, solid-state storage devices, and hard copy storage devices. For example, let’s see what the guidelines say for different types of media.

Magnetic Storage Devices

• You can sanitize magnetic data media such as magnetic tapes using NSA/CSS-evaluated degaussers (like the MediaVise Dual Sanitizer). You can sanitize hard disk drives using an automatic degausser, or a degaussing wand.
• You can declassify magnetic tapes, hard drives, and diskettes only after they have been correctly verified.

Optical Storage Devices

• You can sanitize optical media like compact disks (CDs), Blu-Ray disks (BDs), and Digital Versatile Disks (DVDs) using disintegration, embossing or knurling, grinding, incineration, or shredding. For example, using the MediaVise HDD Destroyer or the MediaVise SSD Destroyer which crush optical storage devices beyond recovery.
• You can declassify optical media only after approved verification and review.

Solid State Storage Devices

• You can destroy solid-state devices using an approved disintegrator, shredder or cutter. There are specific requirements for both strip shredders and instructions for cutting. For example, the MediaVise High Thru-Put SSD Destroyer shreds SSDs down to a 5mm x 5mm particle size. 
• You can declassify solid-state media only after verification and review.

DIN 66399: Data Destruction Standards from the German Institute for Standardization

DIN 66399 is a set of data destruction standards established by the German Institute for Standardization, known as Deutsches Institut für Normung (DIN). These standards provide guidelines and requirements for the secure destruction of information stored on various media (including but not restricted to electronic data media) to protect sensitive data from unauthorized access or disclosure.

Scope and Applicability

The scope of DIN 66399 extends across various types of media, including paper documents and electronic storage devices. This standard is designed to be adaptable and applicable to a broad range of organizations, too, ensuring that data destruction practices align with the sensitivity of the information being handled.

DIN 66399 is particularly relevant for entities that deal with classified or sensitive data, such as government agencies, financial institutions, healthcare organizations, and any other entities that process confidential information. The applicability of DIN 66399 extends to both physical and electronic forms of data storage, addressing the evolving challenges posed by technological advancements in information storage.

Categorization of Sanitization Methods

These guidelines introduce a systematic approach to data destruction by categorizing sanitization methods based on the sensitivity of the information. The standard typically includes the following key categories:

1. Basisstufe (Basic Protection Class): This class is associated with lower-security data and involves basic destruction methods suitable for less sensitive information. Mechanical destruction or shredding (like that provided by the MediaVise Compact HDD Destroyer) might be appropriate at this level.
2. Normalstufe (Standard Protection Class): Standard Protection Class is designed for data of moderate sensitivity. The sanitization methods at this level are more comprehensive and may involve advanced shredding techniques, incineration, or other secure methods.
3. Hochstufe (High Protection Class): The High Protection Class is reserved for highly sensitive information. The methods in this category are the most stringent and are classified based on particle size depending on the material classification. The DIN 66399 standard, for instance, specifies that HDD must be destroyed down to a particle size of 5mm x 5mm (referred to as H7). Meanwhile, electronic media like SSDs are required to be shred down to a particle size of 1mm x 1mm. A product that can help you deal with this is the MediaDice All Media Disintegrator A2 as it is the only machine on the market that can shred electronic media down to a 2mm x 2mm particle size.

 

Is Deleting Data Not Enough?

Deleting data is never enough. Destruction is the only way to ensure your data is unrecoverable. Adhering to these standards of destruction are ensuring your data doesn’t end up in the wrong hands.

This is because when data is deleted from a storage device, traces of that data may still exist in the form of residuals. Skilled individuals with the right tools may attempt to recover deleted data, especially using specialized recovery software. Simple deletion often does not securely overwrite the data.

The adequacy of data erasure as a compliance measure depends on several factors, including the nature of the data, the applicable regulatory requirements, and the sensitivity of the information being handled. In sensitive environments, relying solely on deletion poses security risks. So, legal and contractual agreements often dictate the specific methods of data destruction that organizations must adhere to.

Shredding, Degaussing, and Disintegration

Secure shredding, degaussing, and disintegration are three excellent methods that can be employed for the secure destruction of sensitive data stored on various media. Each method has its own set of advantages, but they can all be used to comply with data protection regulations. So, let’s see how each works and whether the guidelines we have covered above recommend them, too.

Shredding and Disintegrating

Shredding is a method that involves physically cutting or tearing storage media, such as paper documents or optical discs, into small, irreparable pieces. In the context of electronic devices, it refers specifically to the destruction of hard drives and other storage media using specialized shredding equipment.

For electronic devices, specially designed shredders may use blades or crushers to physically destroy hard drives and other storage media. The process involves the use of precision blades or crushers that are specifically engineered to handle the unique characteristics of electronic devices.

Secure shredding has the following main advantages:

• Irreversibility: Shredding physically destroys storage media, rendering data irrecoverable.
• Versatility: Applicable to a wide range of media, including paper documents, optical media, and certain electronic devices.
• Compliance: Meets stringent regulatory requirements for data destruction, ensuring adherence to data protection laws.
• Environmental Considerations: Many secure shredding services responsibly handle and recycle shredded materials, aligning with sustainable practices.

Disintegration physically breaks down storage media into small particles or fragments. This process ensures that the data is rendered practically irrecoverable, providing a high level of security.

Specialized disintegration equipment is used to break down the media (such as hard drives or optical discs), which is typically subjected to mechanical forces that crush or break it into tiny pieces. The resulting particles are often small enough to prevent data recovery.

Disintegration has the following main advantages:

• Physical Destruction: Disintegration physically breaks down storage media into small particles, making data recovery practically impossible.
• High-Security Level: Offers a high level of security, suitable for extremely sensitive information.
• Media Types: Applicable to a variety of media, including hard drives, optical discs, and other electronic storage devices.
• Reduced Environmental Impact: Some disintegration methods focus on environmentally responsible disposal, promoting sustainability.

Shredding and Standardizations of Compliance

NIST SP 800-88r1 categorizes shredding as a “Destruction” method. It provides guidance on the secure destruction of media through physical means, and shredding is considered a suitable method, especially for hard-copy media like paper documents.

While there might not be specific information on shredding in IEEE 2883-2022, the standard typically covers secure deletion methods. So, shredding aligns with the concept of secure destruction as a physical means of rendering data irrecoverable.

NSA/CSS – 9-12, being a storage device declassification manual, may not explicitly mention shredding, but it emphasizes the need for effective and irreversible methods. Shredding, in this context, would align with the principles of irreversible destruction.

Lastly, DIN 66399 provides categorization based on security levels, and shredding is likely categorized under the “Hochstufe” (High Protection Class) for highly sensitive information. The standard specifies particle size categories ranging from P-1 to P-7, with P-7 representing the smallest particle size for the highest level of security (as we have covered, the MediaDice All Media Disintegrator A2 is a good option for this requirement).

Disintegration and Standardizations of Compliance

NIST SP 800-88r1 categorizes disintegration as a “Destruction” method, specifying that it involves mechanical processes to render the media unusable. Disintegration is suitable for both physical and electronic media.

IEEE 2883-2022 may not explicitly mention disintegration, but it encompasses the concept of secure deletion. Disintegration aligns with the idea of irreversible destruction, especially for physical media.

NSA/CSS – 9-12 may not explicitly detail disintegration, but it emphasizes the need for effective and irreversible methods. Disintegration, as a mechanical process, would align with this requirement.

DIN 66399 includes disintegration as a method, especially for highly sensitive information (Hochstufe). It involves physically breaking down media, making it suitable for a range of storage devices.

Degaussing

Degaussing is a method that erases data from magnetic media by exposing it to a strong magnetic field. This process neutralizes the magnetic charge on the storage media, rendering the existing data unreadable and irrecoverable. As such, it’s only suitable for easing data from magnetic storage media.

The process is pretty straightforward: Devices called degaussers generate a powerful magnetic field. Magnetic media, such as hard drives or magnetic tapes, are exposed to this field. Lastly, the magnetic charge on the media is randomized, effectively erasing the stored data.

Degaussing has the following main advantages:

• Magnetic Media Erasure: Effectively erases data from magnetic media, including hard disk drives and magnetic tapes.
• Quick and Efficient: Degaussing is often a swift process, making it suitable for bulk data destruction.
• Reusable Media: Degaussed media can be reused after erasure, reducing electronic waste.
• Compliance: Aligns with data protection regulations requiring the secure disposal of sensitive information.

Degaussing and Standardizations of Compliance

NIST SP 800-88r1 recognizes degaussing as a method for purging magnetic media. It provides specifications on how degaussing should be performed to ensure the irreversible destruction of data stored on magnetic storage media.

IEEE 2883-2022 might cover standards for the secure deletion of electronic storage media, but it may not specifically address degaussing. However, degaussing aligns with the general principle of rendering data irrecoverable through secure deletion methods.

NSA/CSS – 9-12 may acknowledge degaussing as an effective means of purging classified information from magnetic storage devices. Degaussing is particularly relevant for devices storing sensitive data magnetically.

DIN 66399 likely includes degaussing as a method suitable for magnetic media, aligning with the specific requirements of each Schutzklasse (protection class) based on the sensitivity of the data.

Crushing

While manual crushing may be a common approach, especially for individuals at home or in small companies with limited resources, it’s important to consider compliance standards to ensure effective data destruction. When it comes to compliance, adherence to recognized standards is crucial for maintaining the security and confidentiality of sensitive information.

In other words, manual crushing methods, such as using physical force or tools to destroy storage media, may lack the precision and consistency required to meet stringent compliance standards. This is because compliance regulations often specify not only the destruction method but also criteria such as particle size, ensuring that the data is irreversibly rendered unreadable and unrecoverable.

Conclusion

Compliance can help ensure effective data protection. It serves as a guiding framework that aligns organizational practices with industry and legal standards, promoting a culture of security, accountability, and trust.

If you want to make sure your business or organization abides by the guidelines we have covered in this article, you will need to use certified machines specifically designed to make data irretrievable – no matter the media. This is where Phiston Technologies can help.

Phiston Technologies is the world leader in end-of-life media destruction. Explore our full range of products or contact us today to find out more about our services.

Terminology Guide

• Data erasure: The systematic and secure process of permanently removing data from electronic storage media, making it unrecoverable by standard means.
• Degaussing: The process of using a strong magnetic field to erase data stored on magnetic media, rendering it unreadable and unrecoverable.
• Media sanitization: The process of removing data from storage media to prevent unauthorized access or disclosure, especially when the media is no longer needed.

Physical Destruction: The process of physically rendering storage media unusable, often through methods like shredding, disintegration, or incineration.