BSI is a acronym for Federal Cyber Security Authority of Germany, the Bundesamt für Sicherheit in der Informationstechnik. As Germany’s premier federal agency, it regularly publishes guidelines that offer information security tips for helping safeguard the German cyber infrastructure. Within these guidelines, the agency recommends permanent data erasure, which plays an important role in data lifecycle management. Organizations looking to comply with BSI must follow data erasure recommendations for maintaining data privacy.
The guidelines state that any device that contains data, like an HDD, SSD, or smartphone, must be erased and its data must be removed permanently before it can be resold or recycled. It further states that in case the device is inaccessible due to a high number of bad sectors, as example, then the device must be destroyed for reasons of data security. The document also highlights the ineffectiveness of commonly used methods for removing data, like deletion or factory reset, and recommends using a professional data wiping software that can erase data stored in hidden areas, too.
Drawbacks of Delete, Factory Reset & High-Level Format As Per BSI
BSI on its website refers to commonly used techniques for data removal, which include a normal delete function, a factory reset, or a high-level format, as inadequate methods. As per them:
- Deletion removes only the file pointers from the file system, leaving the data intact on the storage block.
- Factory reset brings the device back to its original factory condition, but leaves user data intact.
- Similarly, a high-level format just reinitializes the file system, leaving the data as it is.
This data does not get removed until it is overwritten by new data, and in most cases, it may never happen. To overcome these shortcomings, BSI provides device-specific methods for permanently erasing data. Following BSI guidelines makes it easier for organizations looking to comply with other federal regulations, like as EU-DSGVO or German Federal Data Protection Law BDSG, and it also helps in ISO 27001 and NAID AAA compliance.
BSI Guidelines for Erasing Data Permanently from Drives
The agency emphasizes using a different approach for each type of drive, such as magnetic Hard Disk Drives (HDDs), newer semiconductor-based Solid-State Drives (SSDs), or a combination of both Solid-State Hybrid Drives (SSHDs).
- For HDDs: It recommends using a specialized data wiping software to overwrite and destroy existing data using one or more passes with random numbers or specialized characters. For older HDDs below 80 GB, BSI recommends using 7 overwrite passes. This is in contrast with NIST 800-88 Media Sanitization Guidelines, which considers even one pass as a secure method of data erasure. For modern HDDs, BSI recommends using the ATA Secure Erase command combined with overwriting in sync with NIST guidelines.
- For SSDs & SSHDs: For SSDs & SSHDs, similar to HDDs, the ATA Secure Erase command can be used, and it should be followed by one or more overwrite passes to ensure permanent media sanitization.
BSI recommends using software that works independently from the device’s Operating System (OS). The software should be able to boot from a USB drive just like BitRaser Drive Eraser, and erase the complete drive. BSI further points out the importance of erasing hidden areas like Host Protected Area (HPA) to ensure that data is permanently and completely removed from both user-addressable and non-addressable areas. However, these methods only work if the HDD or the SSD is accessible; if not, they should be physically destroyed. Although the guidelines do not state any particular method for physical destruction, like shredding or degaussing, we recommend that organizations refer to the NIST 800-88 or IEEE 2883:2022 guidelines for media sanitization.
Today, mobile devices like smartphones play a crucial role and store large amounts of personal and confidential data, including emails, login credentials, health information, behavior data, business-critical information, etc. Unlike drives, smartphones are upgraded more frequently, and the older ones get repurposed, resold, or recycled faster. For these outdated mobile devices, too, the BSI recommendation of secure data erasure must be followed to ensure data privacy and maintain compliance.
BSI Guidelines for Erasing Smartphones
The BSI guidelines state that performing a factory reset on smartphones only deletes the ‘table of contents’ of the phone’s file system, leaving the actual data intact on the internal memory. The data becomes inaccessible but can be recovered using commercially available tools like Stellar Data Recovery for iPhone or Stellar Data Recovery for Android. Hence, factory reset is not a reliable method of erasing data. BSI provides below recommendations for erasing data from smartphones.
- Backup Important Data: Before the smartphone is erased, crucial data that will be required later must be backed up on another device or cloud.
- Remove External SD Card & SIM: It is crucial to remove the external MicroSD cards and securely erase them. Physically destroy the card and the SIM if they don’t work.
- Data Encryption: Encrypt the smartphone if supported, as encryption is a secure method of making data irrecoverable after a factory reset. Once encrypted, even if data recovery is attempted, the data remains inaccessible without the decryption key.
- Overwriting Storage: As with HDDs and SSDs, overwriting is a reliable method for removing data permanently from the smartphone, and it can be done with a smartphone wiping tool.
- Factory Reset: This method is used as an additional step once either encryption or overwriting has been performed to bring the device back to its factory setting, and ready to be reused.
Conclusion
Data privacy is a critical ask of customers worldwide, including Germany. A single episode of data privacy violation can ruin a company’s reputation, and the effects can be devastating. The reason behind the violation could be a cyberattack or a compromised laptop that was not erased properly before being resold. The Guidelines for Erasing Data provided by BSI offer a robust data security framework backed by effective techniques that can ensure permanent data erasure from storage media, like HDDs, SSDs, SSHDs, and smartphones. German companies processing data or managing it must comply with BSI guidelines. These guidelines are not just helpful InfoSec documents, but are a base on which compliance with other federal regulations can be maintained, like the EU-GDPR and BDSG. BitRaser software has been tested and certified by NIST and Common Criteria, respectively, aligning perfectly with BSI guidelines. The digitally signed Certificate of Data Destruction and data erasure report generated by the tool is a comprehensive document that comes in handy during audits and fulfilling BSI compliance requirements.
+1-844-775-0101
