Standard for Disposing of Institutional Information¶
Introduction¶
Disposing of Institutional Information can involve data stored in multiple locations and in multiple formats (electronic, magnetic, optical, paper, etc.). The disposal of information is generally governed by university record retention schedules. However, there are several circumstances that can override those schedules, including Data Subject Access Requests, litigation holds, and audits.
Purpose¶
This standard establishes the methods to be used when disposing of Institutional Information, regardless of the type of media on which it is stored.
Scope¶
This standard applies to all Workforce Members who, as part of their job duties at The New School, dispose of Institutional Information and/or IT Resources that contain Institutional Information. It applies to Institutional Information stored on physical media or logical media:
- Physical media are tangible, physical materials or devices that are used to store data. Examples include solid state drives, hard disk drives, USB flash drives, write-once and rewritable optical discs, magnetic tapes and tape cartridges, CF and SD memory cards, paper, microfilm, and microfiche.
-
Logical media are virtual storage devices that provide areas of usable storage capacity on one or more physical storage devices. The devices are described as logical or virtual because they do not actually exist as single physical entities in their own right. The goal of logical media is to provide computer software with what seems like a contiguous storage area, sparing it the burden of dealing with the intricacies of storing data on multiple physical devices. For example:
- An operating system may define volumes or logical disks and assign each to one physical disk, more than one physical disk, or part of the storage area of a physical disk.
- Storage area networks (SANs) consolidate storage devices of different types (e.g., solid-state drives, high-speed drives, low-speed drives). Logical disks or volumes allow software applications to access files stored on a SAN.
- A hardware-level redundant array of independent disks (RAID) exposes itself to the operating system as one logical disk while the array itself consists of several disks. The operating system either does not know that the hardware with which it is interfacing is a RAID, or knows but still does not concern itself with intricate details of storage.
- Cloud storage (e.g., Amazon S3, Box, Google Drive, Microsoft OneDrive, etc.) is based on highly virtualized infrastructure comprising multiple distributed resources, but presents itself to the user or software application as a single storage device.
Definitions¶
Special terms used in this document will be Capitalized and underlined, signifying that they have special meaning. A comprehensive glossary of terms, with examples, can be found at https://ispo.newschool.edu/glossary/.
The following information disposal methods are referenced in this standard:
Clear. A media Sanitization method that destroys data stored in all user-addressable storage locations on a media storage device. This is typically accomplished by rewriting the storage locations with a new value or using a menu option to reset the device to its factory state (when rewriting is not supported). The Clear process protects against keyboard-based and simple non-invasive data recovery techniques; it does not protect against state-of-the-art laboratory techniques.
Cryptographic Erase. A media Sanitization method offered by self-encrypting storage devices that automatically encrypt information as it is written to them. Cryptographic Erase leverages the encryption of the data by destroying all copies of the data’s encryption/decryption key(s). This leaves only the encrypted information remaining on the media, effectively sanitizing the data by preventing read access. A key advantage of Cryptographic Erase is that the time to apply it is not influenced by the size (capacity) of the storage device as other methods are.
Degauss. A method of destroying information stored on magnetic media by applying a reverse magnetic field to reduce the magnetic flux to zero. Many forms of generic magnetic storage media can be reused after degaussing, including reel-to-reel audio tape, VHS videocassettes, and floppy disks. For certain forms of computer data storage, however, such as modern hard disk drives and some tape drives, degaussing renders the magnetic media completely unusable because degaussing also destroys the servo control data the devices need to operate.
Delete. An information disposal process that removes the ability to access the respective file, record, or data in the operating system or application.
Note
Delete is not a Sanitization method. Deleting data does not necessarily eliminate the possibility of recovering all or part of the data later. For example, dragging files to the Windows Recycle Bin or the Mac OS X Trash and emptying it, or using the rm
command on Linux, does not eliminate the possibility of recovery.
Destroy. A method of destroying information that renders data unrecoverable, even using state-of-the-art laboratory techniques. Destroy also results in the subsequent inability to use the media for storage of data.
Purge. A media Sanitization method that renders data unrecoverable, even using state-of-the-art laboratory techniques. Unlike Destroy, Purge does not render the storage media unusable.
Requirements¶
Some methods of data destruction are more complicated, time-consuming, or resource intensive than others. Workforce Members must select a method of data destruction based on the Protection Level classification of the Institutional Information to be destroyed and/or the potential harm that would result from data recovery and disclosure.
For Institutional Information classified at Protection Level PL-1, this may mean simply Deleting electronic files. However, Deletion can be undone by a determined and motivated individual, which makes it inappropriate for more sensitive data. When disposing of Institutional Information classified at Protection Level PL-2 or higher, Workforce Members must employ stronger Sanitization methods to prevent unauthorized access and ensure that data is truly irretrievable.
Institutional Information may need to be Sanitized because:
- A law or regulation to which the university is subject requires information to be securely disposed of.
- The information has reached the end of its retention period, as per the record retention schedule.
- The media on which the information is stored will be reused or retired.
- The IT Resource(s) containing the information is being sent for repair or replacement.
- The IT Resource(s) containing the information is being repurposed or retired.
Appropriate Sanitization methods¶
The table below summarizes appropriate Sanitization methods based on Protection Level. A more stringent Sanitization method can be used.
Institutional Information Protection Level | ||||
---|---|---|---|---|
Media | PL-1 | PL-2 | PL-3 | PL-4 |
Embedded storage (mobile phones, tablets, etc.) |
Delete | Clear | Purge | Purge or Destroy |
Floppy disks and diskettes | Delete | Purge | Destroy | Destroy |
Flash storage (USB flash drives, CF/SD cards, etc.) |
Delete | Clear | Purge | Destroy |
Hard disk drives (internal, external, portable) |
Delete | Clear | Purge | Purge or Destroy |
Logical storage1 | Delete | Delete | Cryptographic Erase2 | Cryptographic Erase |
Magnetic tape and tape cartridges | Delete | Purge | Destroy | Destroy |
Microfilm and microfiche | Destroy | Destroy | Destroy | Destroy |
Optical discs–read-only (CD-ROM, DVD-ROM, etc.) |
Destroy | Destroy | Destroy | Destroy |
Optical discs–read/write (CD-R/W, DVD-R/W, etc.) |
Delete | Clear | Destroy | Destroy |
Paper | Destroy | Destroy | Destroy | Destroy |
Solid state drives (SSD) | Delete | Cryptographic Erase | Cryptographic Erase | Cryptographic Erase |
Sanitization procedures¶
Sanitization procedures vary by the type of media being Sanitized. The procedures for the types of media in the table in the previous section are summarized below. Only the most likely procedure(s) to be used by The New School are described, and special cases are generally not covered. For full details, consult NIST Special Publication 800-88, Guidelines for Media Sanitization.
Embedded storage¶
Devices running Apple iOS¶
Method | Procedure |
---|---|
Clear | Select the full sanitize option (typically in the ‘Settings > General > Reset > Erase All Content and Settings’ menu). (The Sanitization operation should take only minutes as Cryptographic Erase is supported. This assumes that encryption is on and that all data has been encrypted.) |
Purge | Select the full sanitize option (typically in the ‘Settings > General > Reset > Erase All Content and Settings’ menu). (The Sanitization operation should take only minutes as Cryptographic Erase is supported. This assumes that encryption is on and that all data has been encrypted.) |
Destroy | Shred, disintegrate, pulverize, or incinerate by burning the device in a licensed incinerator. |
See NIST SP 800-88 Table A-3, Mobile Device Sanitization, for further information.
Devices running Android¶
Method | Procedure |
---|---|
Clear | Perform a factory reset through the device’s settings menu. |
Purge | Perform a factory reset through the device’s settings menu. Some devices may support Cryptographic Erase. |
Destroy | Shred, disintegrate, pulverize, or incinerate by burning the device in a licensed incinerator. |
See NIST SP 800-88 Table A-3, Mobile Device Sanitization, for further information.
Other devices¶
See NIST SP 800-88:
- Table A-2, Networking Device Sanitization
- Table A-3, Mobile Device Sanitization
- Table A-4, Equipment Sanitization
- Table A-9, RAM- and ROM-Based Storage Device Sanitization
for further information.
Floppy disks and diskettes¶
Method | Procedure |
---|---|
Clear | Overwrite media by using organizationally approved software and perform verification on the overwritten data. The Clear pattern should be at least a single write pass with a fixed data value, such as all zeros. Multiple write passes or more complex values may optionally be used. |
Purge | Degauss in an organizationally approved degausser rated at a minimum for the media. |
Destroy | Shred, or incinerate by burning in a licensed incinerator. |
See NIST SP 800-88 Table A-3, Mobile Device Sanitization, for further information.
Flash storage¶
Method | Procedure |
---|---|
Clear | Overwrite media by using organizationally approved and tested overwriting technologies, methods, and tools. The Clear pattern should be at least two passes, to include a pattern in the first pass and its complement in the second pass. Additional passes may be used. |
Purge | N/A |
Destroy | Shred, disintegrate, pulverize, or incinerate by burning the device in a licensed incinerator. |
See NIST SP 800-88 Table A-8, Flash Memory-Based Storage Device Sanitization, for further information.
Hard disk drives¶
Method | Procedure |
---|---|
Clear | Overwrite media by using organizationally approved and validated overwriting technologies, methods, and tools. The Clear pattern should be at least a single write pass with a fixed data value, such as all zeros. Multiple write passes or more complex values may optionally be used. |
Purge | Use (1) one of the ATA Sanitize Device feature set commands, (2) the ATA SECURE ERASE UNIT command, (3) Cryptographic Erase through the SSC interface, or (4) Degauss in an organizationally approved automatic degausser. |
Destroy | Shred, disintegrate, pulverize, or incinerate by burning the device in a licensed incinerator. |
The above applies to ATA (PATA, SATA, eSATA, etc.) hard drives. For SCSI hard drives and for further information, see NIST SP 800-88 Table A-5, Magnetic Media Sanitization.
Logical storage¶
The procedures for clearing and purging information from logical storage systems depends on how the system is implemented (e.g., is it backed by a relational database, or a file system, or some other technology) and the functions and capabilities provided by the implementation. Consult the software or service provider documentation for recommendations, and use a risk-based approach to evaluate the Institutional Information disclosure risks and system capabilities. Review with the Information Security and Privacy Office to make determinations that fall outside this standard or when the recommended technique cannot be confidently used.
Magnetic tape and tape cartridges¶
Method | Procedure |
---|---|
Clear | Re-record (overwrite) all data on the tape using an organizationally approved pattern, using a system with similar characteristics to the one that originally recorded the data. |
Purge | Degauss the magnetic tape in an organizationally approved degausser rated at a minimum for the media. |
Destroy | Incinerate by burning the tapes in a licensed incinerator or Shred. |
See NIST SP 800-88 Table A-5, Magnetic Media Sanitization, for further information.
Microfilm and microfiche¶
Method | Procedure |
---|---|
Clear | N/A |
Purge | N/A |
Destroy | Incinerate by burning in a licensed incinerator. |
See NIST SP 800-88 Table A-1, Hard Copy Storage Sanitization, for further information.
Optical discs¶
Method | Procedure |
---|---|
Clear | N/A |
Purge | N/A |
Destroy | Shred, disintegrate, pulverize, or incinerate by burning the device in a licensed incinerator. |
See NIST SP 800-88 Table A-7, Optical Media Sanitization, for further information.
Paper¶
Method | Procedure |
---|---|
Clear | N/A |
Purge | N/A |
Destroy | Destroy paper documents by placing them in secure, locked recycling bins designed for sensitive information (available from Facilities Management) or by using cross cut shredders rated at ISO/IEC 21964 (DIN 66399) Security Level P-4, which produce particles with size ≤ 160 mm2 and width ≤ 6 mm. Shredders rated at higher (but not lower) Security Levels may also be used. |
See NIST SP 800-88 Table A-1, Hard Copy Storage Sanitization, for further information.
Note
The shredder requirement above is less restrictive than the NIST SP 800-88 requirement, which equates to Security Level P-7. Security Levels P-4 and P-5 are sufficient for most commercial shredding needs, including the destruction of personal data, while Security Levels P-6 and P-7 are intended to meet the more stringent requirements of military, intelligence, and national security agencies.
Solid state drives¶
Method | Procedure |
---|---|
Clear | Either (1) use the SECURITY ERASE UNIT command or (2) overwrite media by using organizationally approved and tested overwriting technologies, methods, and tools. The Clear procedure should consist of at least one pass of writes with a fixed data value, such as all zeros. Multiple passes or more complex values may alternatively be used. |
Purge | Use (1) one of the ATA Sanitize Device feature set commands, or (2) Cryptographic Erase through the SSC interface. |
Destroy | Shred, disintegrate, pulverize, or incinerate by burning the device in a licensed incinerator. |
The above applies to ATA (PATA, SATA, eSATA, etc.) SSDs. For SCSI SSDs and for further information, see NIST SP 800-88 Table A-8, Flash Memory-Based Storage Device Sanitization.
Institutional Information disposal criteria¶
Before Sanitizing or destroying media or IT Resources that contain Institutional Information, Workforce Members must confirm that:
- There are no litigation holds affecting the information.
- There are no academic record holds affecting the information.
- The record retention schedule(s) for the information have been satisfied (i.e., it’s not too soon to destroy the information).
- The Sanitization method is appropriate for the Protection Level of the information and the type of media on which it is stored.
Media or IT Resources that contain Institutional Information classified at multiple Protection Levels must be Sanitized or destroyed using a method appropriate for the highest Protection Level present. Media or IT Resources containing Institutional Information whose Protection Level is not known and/or cannot be reliably determined must be Sanitized or destroyed as if they contain information classified at Protection Level PL-4.
Cryptographic erase¶
For Cryptographic Erase to be used3, the following requirements must be met and documented:
- The IT Workforce Member must verify that all data on the media to be erased is adequately encrypted. (Cryptographic Erase works by destroying decryption keys; if the data to be “erased” is not encrypted with those keys, it will not be effective.)
- The encryption algorithm with which the data is encrypted meets the minimum standards of NIST Special Publication 800-140C.
- The location of all copies of the relevant decryption keys must be known and documented.
- An action that safely destroys all copies of the keys must be available.
References¶
- National Institute of Standards and Technology. Guidelines for Media Sanitization. Special Publication 800-88, Revision 1. December 2014. Available from https://doi.org/10.6028/NIST.SP.800-88r1.
- National Institute of Standards and Technology. CMVP Approved Security Functions: CMVP Validation Authority Updates to ISO/IEC 24759. Special Publication 800-140C. March 2020. Available from https://doi.org/10.6028/NIST.SP.800-140C.
Review¶
This standard is reviewed on a periodic basis and updated as necessary by the Information Security and Privacy Office to ensure it remains accurate, relevant, and fit for purpose.
Document history
Date | Author | Description |
---|---|---|
Jun 2020 | D. Curry |
|
Dec 2020 | D. Curry |
|
Parts of this standard are adapted from the University of California’s Disposal of Institutional Information Standard, coordinated by Robert Smith, the contents of which are used with permission.
-
Logical storage is principally storage used within or by applications, such as databases, content management systems, cloud storage services, etc. An IT Workforce Member will be required to perform Institutional Information destruction on logical storage. ↩
-
Most databases have the ability to perform field (column) encryption or row-level encryption. Alternatively, entire tables can be encrypted. Once encrypted, destroying the key completes the Cryptographic Erase. ↩
-
NIST SP 800-88, Guidelines for Media Sanitization, contains guidance on when to use Cryptographic Erase. See Section 2.6, Use of Cryptography and Cryptographic Erase. ↩