Summary: The NCSC guidance document provides a comprehensive framework for erasing devices securely, including HHDs, SSDs, and Mobile Devices. The guidelines also provide different methods for secure erasure, including software-based methods like Overwriting and Physical Destruction methods. Read this blog to know about the NCSC guidance for secure sanitisation to erase devices permanently and securely.
The National Cyber Security Centre (NCSC) of the United Kingdom provides guidance to organisations, public sector businesses, SMEs, and the public on cyber security including how to securely erase PII (Personally Identifiable Information) from devices and safeguard sensitive data. The NCSC provides practical guidance and efficient crisis response to minimize damage, aid in recovery, and gather knowledge for the future.
The scope of NCSC is very broad, however in this blog, we will focus on NCSC guidance for the secure sanitisation of storage media to help businesses in the UK to conform to the guidance on Secure Sanitization of Storage Media issued by NCSC.
Understanding NCSC Guidance on Secure Sanitisation of Storage Media:
The NCSC guidelines on the secure sanitisation of storage media discuss why it is required, how to minimize risks, and how to do it inexpensively. This guidance is useful for any organization that wants to ensure that their confidential, business and customer data on IT assets like HDDs, SSDs, mobiles, laptops, PCs, cameras, printers, scanners, photocopiers, fax machines, servers, routers, switches, etc. is not accessed by unauthorized parties when it leaves the organization’s control. These guidelines aim to ensure that sensitive information is properly sanitised from the storage media before they are to be reused, repaired, and disposed of or before sending it to a destruction facility.
So, “What is Data Sanitisation?” as per NCSC.
According to NCSC, “Sanitisation is the process of treating data held on storage media to reduce the likelihood of retrieval and reconstruction to an acceptable level. Some forms of sanitisation will allow you to re-use the media, while others are destructive in nature and render the media unusable.” And NCSC advises that if you are planning to, “Re-Use, Repair, Dispose or Destroy” your IT assets, you should sanitise the storage media.
The guideline goes into great detail about the dangers of not sanitising. If your organisation does not have a data disposal plan or does not securely erase devices, you may find yourself in situations where you lose control over confidential data and media devices, potentially leading to data leakage, data breach, or unauthorized access to sensitive data. This can be detrimental to your organisation as:
- Your critical data can be recovered and used by adversaries or competitors.
- Private or personal data about your customers or employees can be used to commit fraud or identity theft.
- Your intellectual property can get recovered and publicly published, resulting in reputation and revenue loss.
- The damage from lost or stolen equipment can magnify if they are not sanitised regularly.
The NCSC recommends enabling data at rest encryption on laptops, smartphones, and other mobile computing devices that are most vulnerable to getting lost or being stolen.
NCSC further goes into detail about sanitisation facts and examines techniques to manage storage media risks, elements to consider when developing a disposal policy, and while securely erasing devices. You can read the complete detailed document here.
NCSC Storage Category, Data Erasure & Device Destruction Guide:
The table below categorises the various pieces of equipment you might come across and discusses how to properly dispose of data on these devices as well as device destruction techniques to use. It’s worth noting, NCSC provides this information as a guidance tool; you may want to make changes to make sure your strategy is appropriate for the circumstances in your organization.
|Magnetic Media Devices
|Hard Disc Drives
|HDDs contain massive amounts of data and must be handled separately. Data on HDDs should be erased using an approved data erasure product that destroys data by overwriting all user-addressable memory locations with non-sensitive data or binary patterns. It leaves the device intact and can be reused. NCSC also advises Degaussing all end-of-life HDDs, you can also then physically destroy the device or recycle it. However, Degaussing only works on magnetic storage media and is ineffective on other types of technologies. Therefore, it is vital to ascertain whether the storage drive contains any solid-state components (Hybrid Drives).
|Other Magnetic Media
|Magnetic Tape Cartridges, Floppy Disks, DAT, VHS Tapes
|These media devices store huge amounts of data and must be degaussed.
|Solid State Disk
|SSD Hybrid Drives (HDD+SSD)
|SSDs are faster and more expensive than HDDs, and cannot be overwritten with the same degree of assurance as HDDs. Using Encryption is one way, as once the key is removed the data is no longer accessible. According to NCSC sanitising SSDs is difficult as all SSDs are manufactured differently. However, NIST recommends using NIST Clear & Purge as a secure way of erasing SSDs.
Note: You can wipe your SSDs using BitRaser. Click here to know how?
|Other Flash Media
|USB Thumb Drives, SD/ Micro SD Cards
|Inexpensive and can be destroyed using a shredder or disintegrator. You might also consider erasing them by connecting them to a USB Hub and then reusing or donating them.
|Smartphones & Other Devices
|Smartphones, Tablets, Notebooks
|Since Smartphones, Tablets & Notebooks typically contain SSDs, NCSC recommends encryption and factory reset. However, NCSC recommends that devices containing sensitive data should be erased using an overwriting tool.
Note: You can wipe your Android & iOS Smartphones & iPads, using BitRaser Mobile Eraser & Diagnostics.
|Laptops, PCs, Cameras, Printers, Scanners, Telephones
|Laptops and PC usually contain either HDDs or SSDs. These drives must be removed before disposing of laptops or desktops. Other components have factory reset capabilities that can be used to clear data before they are resold, lent out, donated, or destroyed en mass.
|Servers & Data Center Items
|The chassis can be dismantled and disposed of once storage components are removed. These devices may contain encryption keys or certificates and rollback configuration functionality that must be removed via factory reset.
|Cheap & Single Purpose Media
|Routers, Receivers, Switches, Bridges, DVDs, CDs, Smartcards, Chip, PIN Cards, ID Cards
|These devices are cheap and easily replaceable, you might consider disposing of them in-house using a shredder or disintegrator.
|Silicon Chips, PCB
|The goal is to ensure that the silicon “die” in the chip’s container is fractured into two or more pieces, as these chips are unlikely to be reused.
|Monitors & TV
|These devices are void of significant onboard storage, they can be sanitised easily by flushing components with non-sensitive data.
|No storage media/No Data
|Headphones, Keyboards Mouse Media Converters Racks
|If the labeling has been removed, it may be thrown away without more thought.
NCSC has issued these guidelines to help you make your policies for ensuring data security and secure device management. However, it would be up to you to decide which data erasure software is suitable for your needs.
BitRaser: Best Solution for Wiping All Drives and Devices
BitRaser is a certified data eraser software that can help you securely erase data from various types of storage media per NCSC guidelines. Here are a few reasons why you should consider using it:
- BitRaser can erase HDD, and SSD in PC, Laptops, and Mac including those in M1, and T2 machines.
- Wipes Android & iOS Smartphones, iPads, Chromebooks, Microsoft Surface devices, etc.
- The software uses 24 globally accepted erasure standards like NIST 800-88 Clear & Purge and DoD 5220.22-M making data recovery impossible.
- Erases data from laptops, desktops, and rack-mounted drives over a network too.
- Generates tamper-proof reports & certificates of erasure for audit and compliance purposes.
Overall, BitRaser can simplify the process of securely erasing data and wiping devices according to the NCSC guidelines.
What is secure erasure?
Secure data erasure is a software-based method of irreversibly wiping confidential, classified data on a device to render it unrecoverable while keeping the equipment reusable.
What is Overwriting?
The Overwriting approach works by rewriting all user-addressable memory regions with non-sensitive data or binary patterns. Overwriting is often known as “Data Erasure” commercially.