Australian Signals Directorate’s Information Security Manual on Media Sanitisation
The Australian Signals Directorate (ASD) was previously known as the Defence Signals Directorate (DSD). The ASD defends Australia’s interests by gathering intelligence from foreign signals, improving cyber security posture, and strengthening efforts to counter global threats. The updated version of the Information Security Manual (ISM) was released by the ASD in June 2024, which covers cyber security principles, security of IT assets, data transfers, media sanitisation, destruction, disposal, etc. It has been designed for Information Security Officers (CISOs, CIOs), and cyber security professionals, including IT managers of government bodies & large organisations. The manual comes in handy in helping organisations apply a cybersecurity framework while utilising their existing Risk Management Framework (RMF) to protect their operational tech systems & IT, apps, and data from cyber threats.
Guidelines for Media in ISM provide detailed instructions for:
- Media Usage
- Media Sanitisation
- Media Destruction
- Media Disposal
In the context of this article, we will cover media sanitisation.
Media sanitisation has been recommended when creating a removable media usage policy, reclassifying media, using it for the first time, or using media to transfer data. Sanitizing new media can reduce cyber supply chain risks by removing a potential malicious code. The same is recommended for rewritable media post each data transfer. It is also essential to sanitize a media before repurposing a media or using it in a different security domain to prevent any possibility of data spills or data breaches. Media sanitisation for all non-volatile flash memory media but SECRET and TOP SECRET help in rendering them reusable.
Note: The media classified as SECRET and TOP SECRET have the authorisation to process, store, and communicate SECRET and TOP SECRET data, respectively.
Media Sanitisation (Page 85 of ISM)
This segment elaborates on the sanitisation methods that can be applied to permanently erase data from diverse types of media which include:
- Non-Volatile Flash Memory Media OR Solid State Drives (SSDs): Sanitisation of SSDs and non-volatile media devices is achieved using a technique known as wear leveling. This technique involves overwriting the media with a random pattern at least twice as evenly across each memory block along with a read back for verifying sanitisation.
[Control: ISM-0359, Revision: 4]
In case the media has bad memory blocks, there is a high probability of these bad sectors getting left from being overwritten; hence, SECRET and TOP SECRET non-volatile flash memory media retain their classification despite sanitisation, and cannot be reused or repurposed. [Control: ISM-0360; Revision: 6]
- Non-Volatile Magnetic Media: Sanitisation of non-volatile magnetic, floppy disks, and hard drives is achieved by overwriting the device with a random pattern at least once, followed by a read back for verification. However, if these storage media are under 15 GB or pre-2001, then the media should be overwritten at least three times.
[Control: ISM-0354, Revision: 6]
Since non-volatile magnetic hard drives have hidden areas such as the device configuration overlay table (DCO) and host-protected area (HPA), which are not visible to the OS or the computer’s Unified Extensible Firmware Interface (UEFI), these remain untouched. However, certain sanitisation programs such as BitRaser Drive Eraser reset the volatile drive to its default state, thereby removing any HPAs or DCOs, allowing the program to wipe all user-accessible and non-accessible areas of the drive.
SECRET and TOP SECRET non-volatile magnetic media retain their classification after sanitisation.
[Control: ISM-0356; Revision: 6]
- Non-Volatile Erasable Programmable Read-only Memory Media (EPROM): Sanitisation for EPROM media can be performed by applying ultraviolet erasure for three times the duration as recommended by the manufacturer. Post this, the media should be overwritten with a random pattern at least once, and verification should be done with a read back.
[Control: ISM-0357, Revision: 5]
- Non-Volatile Electrically Erasable Programmable Read-only Memory Media (EEPROM): This media is recommended to be overwritten with a random pattern at least once after which a read back should be done to verify that the media has been sanitised.
[Control: ISM-0836, Revision: 3]
SECRET and TOP SECRET EPROM and EEPROM retain their classification even after sanitisation.
[Control: ISM-0356, Revision: 6; Control: ISM-0358, Revision: 6]
- Volatile Media: Sanitisation of volatile media is performed by removing the media from the power source for at least 10 mins. The manual also states that for media devices marked as SECRET or TOP SECRET, it is necessary to overwrite the entire media with a random pattern and then verify the sanitisation by read back.
[Control: ISM-0351, Revision: 6; Control: ISM-0352, Revision: 4]
- Hybrid Hard Drives (HHDs): The non-volatile magnetic media must be separated from the circuit board containing non-volatile flash memory, and then both media devices should be sanitised separately.
- Media that Failed Sanitisation: Since damaged or faulty media cannot be fully sanitised, they have to be destroyed before they can be disposed of securely.
[Control: ISM-1735, Revision: 0]
The Information Security Manual also specifies media destruction and media disposal, especially in cases where sanitisation fails, or the drive has bad sectors.
Media Destruction (Page 89 of ISM)
Under this segment, the ISM mentions procedures, methods, and media types that cannot be sanitised and have to undergo destruction process. It is important to note that media destruction processes and procedures, when developed, implemented, and maintained in the right manner, help organisation conduct the media destruction process appropriately and consistently.
[Control: ISM-0363, Revision:4]
Further, certain media like ROMs, PROMs, microfilms, optical discs, microfiche, etc., when fail sanitisation need to be destroyed before they can be disposed of.
[Control: ISM-0350, Revision: 5]
For destruction, the identified methods to render data irrecoverable include cutting, grinding/sanding, or using a hammer mill, furnace/incinerator, disintegrator, or degausser.
[Control: ISM-1722 to ISM-1727, Revision: 1]
Degaussing modifies the magnetic properties of a media, which results in permanent corruption of data. Sufficient magnetic strength and suitable magnetic orientation are essential for effective media destruction. For correct guidance, product-specific directions provided by the manufacturer should be followed.
[Control: ISM-036, Revision: 4; Control: ISM-0362, Revision: 4]
For media storing accountable data, media destruction cannot be outsourced. It should be performed under the supervision of at least two personnel who can verify data destruction and also sign a certificate of destruction at the time of process completion.
[Control: ISM-0839, Revision: 3; Control: ISM-0372, Revision: 6; Control: ISM-0373, Revision: 4].
Moreover, the destruction of media containing non-accountable data can be outsourced, provided the service is certified by the National Association for Information Destruction AAA (NAID-AAA).
[Control: ISM-0840, Revision: 4]
Conclusion:
Whether volatile or non-volatile, hard drive or solid-state, sanitisation is required for all types of drives at their end of life or when they need to be repurposed, sold, donated, or disposed of. With secure media sanitisation, businesses get peace of mind due to protection from data spills and data breach risks. The Australian Signals Directorate's Information Security Manual helps businesses follow secure media sanitisation and destruction practices to remain compliant with Australia’s Privacy Act 1988 and other global data protection laws like EU-GDPR, New Zealand’s Privacy Act 2020, etc.