By Cindy Miller
A lot can change in eight years, especially when we’re talking about technology. Since the National Institute of Standards and Technology released NIST 800-88 in 2006, it has been the only official United States standard for data destruction, replacing the outdated DoD three-pass standard. But that was 2006, and data storage trends have evolved quite a bit since then. Most significantly, solid state drives (SSDs) and mobile devices like phones and tablets that make use of Flash SSDs have become ubiquitous in the workplace.
The most recent updates to the NIST 800-88 standard reflects the use of these devices and the need for a reliable process for destroying the data on them. If your company deals with sensitive information of any type, whether it’s medical records, financial data, employee or customer personal data, or intellectual property, you need to be aware of these changes.
In late 2013, the first revision of NIST 800-88 was published. Although it is still technically a draft, it is the accepted industry standard for hard drive and media sanitization. What follows is an overview of some of the major revisions to NIST 800-88. It includes important new best practices for sanitizing both mobile devices and SSDs.
Sections 2.3 and 2.4
These sections deal directly with the standards for sanitizing solid state drives. As the cost of SSDs has declined, and their capabilities have expanded, an increasing number of businesses are using them for data storage. Unfortunately, as discussed in one of our recent white papers, the specifications of these devices make conventional magnetic data destruction strategies ineffective
These sections of NIST 800-88 address the inefficacy of overwrite technologies when applied to SSD devices, and the difficulty of destroying the drives completely due to the physical structure the nature of the electronic storage. The new standards do not outline specific destruction standards, but they do recommend that SSD users be aware of their increased vulnerability.
Sections 4.7 and 4.8
Reviewing the practices of your own team or IT asset disposition (ITAD) vendor is a crucial but often overlooked part of the data destruction process. The destruction process must be documented so you can prove that data was destroyed properly. The newly updated sections reaffirm the necessity of an audit, and outline standards for the auditing process. Section 4.8 recommends that any audit should include details about:
- The device
- The process of destruction
- The method of destruction
- The date of destruction
- The name of the supervising party
- A validation of all of the above information
Without this document in your records, there is no guarantee that your devices were sanitized according to the best possible practices. The takeaway is that any ITAD vendor you select must be able to provide a comprehensive audit.
When the original NIST 800-88 data destruction standards were first drafted, smartphones were in their infancy. But as too many businesses have discovered, the capabilities of these devices are also a liability. The new standards include recommendations for sanitizing phones from all of the major providers, and they provide an important road map for true data security in 2014 and beyond. The appendix outlines the accepted method for data destruction at each level – clear, purge, and destroy. Notes addressing the unique challenges inherent to each device type are also included. If your business relies on a specific type of mobile, or a combination of devices, we absolutely recommend consulting the appendix.
The changes outlined in NIST 800-88 are important for all business, because the way data is stored in 2014 is not the same as it was in 2006 (especially concerning the rise in SSDs). For more information on Best Practices when it comes to erasing solid state disks, download this free whitepaper, “Advances in SSD Erasure Solutions.”