ISO 27040 offers comprehensive guidance to organizations in identifying acceptable levels of risk mitigation through a well-documented and robust approach toward documentation, planning, design, & implementation of data storage security. The standard outlines common risks to the security, availability, and integrity of data stored in the storage devices. It also addresses information security controls for data protection and security assurance through assessment and audits of information security measures.
History
It is the first international standard that addresses a holistic and comprehensive range of storage security perspectives. The research work on formulating the standard started in the year 2010 after the SC27 conference. The ISO/IEC 27040 standard was published on January 5th, 2015. It is a detailed standard with more than 120 pages explaining data storage security and media sanitization protocols. At present, the revised ‘Working Draft’ (ISO/IEC DIS 27040) of the standard has been registered and is in the enquiry stage.
ISO 27040 Scope & Objectives
ISO/IEC 27040:2015 provides technical guidance on the threat, design, and control aspects associated with typical data storage scenarios. It defines storage security as the protection of information at the point of storage and during transfer across communication links related to storage. The standard specifies security as an aspect that protects devices, media, applications, and services as well as the security of devices in use and when they are at rest. Storage security is important for individuals who own, operate, or use the storage devices.
The three primary objectives of the ISO 27040 standard are:
- Draw attention to the risks associated with data storage technologies.
- Assist organizations in improving the security of stored information using stringent information security controls.
- Provide a basis for auditing, designing, and reviewing storage security controls.
The standard covers a wide range of topics with respect to storage, its types, security risk, data reliability, retention, compliance, and sanitization. Under section 6.8.1, the standard defines data sanitization and mentions media-based sanitization, logical sanitization, proof, and verification of sanitization.
Media Sanitization: A Core Requirement [Section 6.8.1]
The ISO 27040 standard specifies media sanitization as the best practice to ensure data storage security for the destruction of data held on different storage media. It is the only international standard that addresses media sanitization in such detail mentioning data wiping methods and techniques such as clear, purge, and destroy. The ISO 27040 standard defines sanitization as a process of data destruction that renders data inaccessible on devices at the end of their life or during transfer. Sanitization ensures that there is no data leakage and prevents instances of data breach when organizations engage in reselling, donating, repurposing, or discarding storage devices.
Media-Based Sanitization [Section 6.8.1.2]:
The standard recommends that organizations follow Annex A to sanitize the specific media type. It defines several media sanitization techniques like Clear (overwriting), Purge (block erase and cryptographic erasure), and Physical Destruction (disintegrate, incinerate, melt, pulverize, or shred), to help organizations and vendors find the most suitable option to perform media sanitization.
Here are some of the recommendations for media sanitization specific to each media type as defined in the ISO 27040 standard:
|
Media Type
|
Clear
|
Purge
|
Destroy
|
|
Papers and microforms
|
N/A
|
N/A
|
Destroy paper with cut shredders and microforms to be burnt.
|
|
Routers and Switches
|
Perform Manufacturer’s reset to reset the router or return back to the factory default settings.
|
See if the media has a Purge capability or not to perform data rewriting or block erase.
|
Shred, Disintegrate, Pulverize, or Incinerate in a licensed incinerator.
|
|
Mobile Device Sanitization
|
Select the full sanitize option for iOS and Android devices. Delete and perform factory reset for other mobile devices. Opt for an Overwrite using certified data eraser software.
|
Overwrite or block erase if the device supports purge capability
|
Same as above
|
|
Office equipment like printer, fax, or multifunction devices
|
Perform manufacturer reset to attain its factory default setting.
|
Check if the device has Purge capability or not to execute media-dependent techniques like overwriting, block erase, or cryptographic erase.
|
Same as above
|
|
Magnetic Media like Floppy Disks, ATA/ SCSI HDDs or SSHD
|
Overwrite using a certified data eraser tool.
|
Overwrite with dedicated sanitize commands (Overwrite EXT, Crypto Erase, SECURITY ERASE UNIT), Degauss, or Disassemble and degauss the enclosed platters.
|
Same as above
|
|
Peripherally Attached media – USB, Firewire, etc.
|
Overwrite using a certified data eraser tool.
|
Figure out if the media has a Purge capability or not to perform overwriting, block erase, or cryptographic erase.
|
Same as above
|
|
ATA SSDs
|
Overwrite using a certified tool. Use Security Erase Unit command, if supported.
|
Secure data erasure with dedicated sanitize commands (Block Erase,
Cryptographic Erase through the TCG Opal SSC or Enterprise SSC interface)
|
Shred, Disintegrate, Pulverize, or Incinerate in a licensed furnace.
|
|
SCSI SSDs (SCSI, SAS, Fibre Channel, USB Attached Storage, SCSI
Express)
|
Media Overwriting with a certified tool.
|
Overwrite with dedicated sanitize commands (BLOCK ERASE, CRYPTO ERASE).
|
Same as Above
|
|
NVM Express SSDs
|
Overwrite using a certified data eraser tool.
|
Overwrite with dedicated sanitize commands (NVM Express Format command,
Cryptographic Erase)
|
Shred, Disintegrate, Pulverize, or Incinerate in a licensed furnace.
|
|
Optical Media like CD, DVD, and BD
|
N/A
|
N/A
|
Destroy data using an optical disc grinding device. Incinerate using a licensed facility. Use an optical disk media shredder.
|
|
Flash Media – USBs, Memory Cards
|
Overwrite using a certified data eraser tool.
|
Not Supported (Refer to Manufacture for any supported commands for USBs)
|
Shred, Disintegrate, Pulverize, or Incinerate in a licensed furnace.
|
Maintain a Record or Proof of Sanitization [Section 6.8.1.4]
The international standard in line with NIST Guidelines for media sanitization specifies the importance of proof of sanitization. It specifies two forms of proof of sanitization including an audit log trail and a certificate of sanitization. It demands that organizations should maintain a record of sanitization activities to document what media were sanitized, when & how. The ISO 27040 standard further demonstrates how these documents help reduce the risk of penalties and data breach notifications by adhering to compliance goals. A certificate of sanitization guarantees that data was destroyed with due diligence and the data cannot be recovered from the erased devices even after using an advanced forensic technique. As per the standard, the certificate of sanitization should include hardware and process details such as Manufacturer, Model, Serial Number, Media Type, and Media Source, along with Sanitization Description, Method, Tool Used, and Verification method, Validation details, etc.
Verify the media sanitization process [Section 6.8.1.5]
The ISO 27040 standard defines that the goal of the verification process is to assure that the target data is effectively sanitized. Verification is achieved by a full reading of all accessible areas to ensure that the target location has expected sanitized value in all addressable locations. The standard specifies two types of the verification process, namely-
- Full Verification: Complete reading of all addressable locations on the sanitized device if time and external factor permits.
- Representative Sampling: Reading of selective subset of the media or pseudorandom locations.
Cryptographic erasure has different verification considerations than the above procedures because the data following cryptographic erasure may not be known. The standard recommends verification of cryptographic erasure may be skipped if reading access is not possible.
Conclusion:
ISO 27040 acts as a benchmark standard to guide organizations in their effort towards mitigations of risk associated with data storage, strengthening organizational efforts towards enhanced data protection and security. As storage technology evolves, data continues to grow exponentially, and cases of data breach rise, the need to comply and adopt information security controls recommended by the standard will grow in eminence. Furthermore, with media sanitization so clearly spelled out in the standard, organizations will be more aware, prepared, and confident to execute IT asset disposition in a safe, compliant and secure manner.
Certified data eraser software like BitRaser will be ideal for performing secure and permanent data wiping with NIST 800-88 and other global erasure standards. BitRaser generates certificate of sanitization and performs verification of the sanitization process as recommended in ISO/ICE 27040:2015 standard. Since the current version of ISO/IEC 27040:2015 standard aligns with NIST 800-88 data sanitization guidelines, NIST tested and compliant tool like BitRaser becomes the first preference for media sanitization for organizations looking for compliance and data security in order to mitigate risks.
