HANDLING THE SANITIZING OF DIFFERENT MEDIA

Paper and microforms require specific destruction procedures. They must be secured in a locked area prior to removal for destruction. If an independent firm does the shredding and/or the burning, the firm must possess appropriate bonding and must be obligated contractually to follow an agreed upon procedure as to the destruction process. Follow-ing a recognized standard, such as NIST 800-88, ensures that all parties understand what needs to be done. The NIST standard recommends for paper using a cross-cut shredder that produces pieces 1 ×5 milli-meters in size. In the alternative, pulverizing the paper with a machine conforming to the National Security Agency (NSA) pulverizing stan-dard is also acceptable. Microforms should be burned and reduced to white ashes.

Handheld devices include cellular telephones and PDAs. The first step in sanitizing these devices for reuse is to manually delete all sensitive information. This means clearing out all the databases on the machine.

While this step can be tedious, it does ensure that no obvious data is available to the next user. Then, contacting the manufacturer is neces-sary to learn how to do a hard reset of the device back to its factory set-tings. With today’s Web available, most manufacturers have online the user manuals for their electronic products. If you cannot locate the

printed user manual, then consult the one online to obtain the details on the hard reset procedure. Destruction of the device includes the options of pulverizing, shredding, crushing or disintegrating, or incineration.

Networking devices such as routers require a manufacturer’s hard reset to factory default settings to erase all rules and routing tables.

Again, the Web serves as resource for locating user manuals and man-ufacturer’s instructions. The destruction of these devices involves the same options as for handheld devices, which shall be known as the

“standard options” for the remainder of this chapter. One may question the level of sensitivity for screening rules and routing tables. Any infor-mation on how your network functions can be very valuable to an at-tacker trying to penetrate the network’s perimeter. For a “document” is anything relied upon for information or understanding. A screening router can be a “document’ of great import in knowledgeable hands, so treat it with the sensitivity that it deserves prior to reuse or when plac-ing it in unknown hands.

Equipment, such as copy machines and fax machines, has the same reuse and destruction guidelines as for networking devices. These pieces of essential office machinery are often forgotten when it comes to mon-itoring and to safeguarding for information security. They frequently have large mounts of memory, which may reveal a great deal about your organization’s functioning and operations. Again, they like other electronic devices or equipment contain “documents” in the broadest definition of the term. Make sure that they are properly reset before your organization donates or wholesales them. When in doubt, have them destroyed by a bonded vendor.

Magnetic disks like floppies can be overwritten with a program that places 1’s and 0’s over the existing data. As indicated prior, degaussing with an approved NSA degaussing device ensures correct erasure of the medium. The standard options for destruction are adequate for floppies.

Overwriting ATA hard drives is feasible using similar software. De-gaussing, however, is not an option for current hard drives if you plan reuse. Using a degaussing device renders the drive permanently unus-able. For purging the contents, NIST 800-88 guide recommends using the “Secure Erase” software available from the University of California at San Diego (UCSD). The standard options for destruction apply to ATA hard drives.

The same sanitizing principles apply to USB removable media that use hard drives. These include thumb drives, pen drives, flash drives,

and memory sticks. Purging using the UCSD software is recommended over degaussing if you plan on reuse. The standard options for de-struction apply to these drives.

SCSI hard drives can be cleared using the overwriting software.

Purging is possible through degaussing, provided reuse is not an issue.

Zip drives also can be overwritten, and purging is possible through a degaussing device, provided reuse is not intended. The standard op-tions for destruction apply to SCSI and Zip drives.

Magnetic tapes, whether for data storage on digital tape or for video on the VHS format, present a slightly different sanitization issue. Over-writing may not be practical due to the time involved to pass the tape across the tape head to complete the overwriting process. Re-recording the tape over with a nonsensitive signal may be the best way to clear sensitive data. In order to accomplish this process the same type of ma-chine should be used that did the original recording of sensitive mater-ial. Degaussing can also accomplish the clearing action without harming the medium’s ability to capture data or images in the future. It does not impair reuse. An NSA approved degaussing device accomplishes purg-ing quite well for magnetic tape. The destruction of magnetic tape in-volves either shredding or burning.

Optical disks such as CDs and DVDs should be erased using the computer’s burn-in software. Check the software manufacturer’s docu-mentation on any additional steps necessary to reduce the possibility of optical remanence. It is recommended, however, that due to their low cost and large storage capacity that optical disks be destroyed rather than be reused. Destruction processes include grinding off the surface layer, shredding the disk, and incinerating disk.

The heading, “Memory,” includes quite a range of media:

• SD cards

• DRAM (Dynamic Random Access Memory)

• PROM (Programmable Read Only Memory)

• Flash cards

• PCMCIA cards

• USB removable media

• Smart cards

SD cards can be overwritten with new data using a wiping or clearing program. Destruction includes shredding, pulverizing, disintegration, and incineration. Clearing or purging DRAM is done by powering it off

and by removing any backup battery. It can be destroyed by shredding, pulverizing, and disintegration. Flash cards can be overwritten with new data using a wiping or clearing program. Destruction includes shred-ding, pulverizing, and disintegration. PCMCIA cards cannot be cleared or purged, so the only option when removing them from service is de-struction via incineration or disintegration. USB removable media can be overwritten with new data using a wiping or clearing program. They can be destroyed by shredding, pulverizing, and disintegration. Finally, smart cards are not designed for reuse. Cut up the internal memory and have the pieces incinerated.

Magnetic cards can be overwritten with new data using a wiping or clearing program. Use a degaussing device to purge the device prior to reuse. The destruction methods are shredding and incineration.