Chapter 5: Data Destruction Standards and Guidelines

Download E-book

Home » Knowledge series » Data Destruction Standards and Guidelines

Chapter 5: Data Destruction Standards and Guidelines

Chapter 5 of 6   |   Published on Oct 19, 2021

Go to

The previous chapter outlined the building blocks of data destruction policy, focusing on “what all” components your organization needs to consider when drafting a data destruction policy. Among these components, effective execution of data destruction procedures is crucial to protect data privacy and attain compliance. In other words, organizations can achieve favorable outcomes by following globally accepted standards for data destruction.

Also, data destruction standards have gained prominence across different industries and sectors such as banking, financial services and insurance, healthcare, defense, e-commerce, etc. They can help organizations attain compliance with sectoral regulations and data security standards outlined as follows:

1.Banking & Finance Industry
There are standards and regulations such as Payment Card Industry Data Security Standard (PCIDSS), Fair and Accurate Credit Transaction Act (FACTA) Disposal Rule, Bank Secrecy Act, Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), etc. All these regulations mandate organizations to destroy data in accordance with defined standards and outcomes.

2.Healthcare Industry
There are specific regulations to safeguard the privacy of Protected Health Information (PHI). In the US, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects PHI by obligating all the covered entities and associates to protect patients’ health-related data. It directs the entities concerned to exercise greater discretion when disposing of information such as social security number, driver’s license number, diagnosis and treatment information, etc.

3.Defense Departments & Service Branches
Various defense and security services such as the United States Army, Navy, Air Force, and NSA have been following specialized data destruction standards for decades. Some of these standards include US DoD 5220.22M, Air Force System Security Instruction 5020, and NSA 130-1, etc. However, since the advent of modern storage media such as solid-state drives and hybrid drives, the defense departments have transitioned to prominent media sanitization guidelines such as NIST SP 800-88.

Data Destruction Standards

Over the previous decades, several data destruction (aka media sanitization) guidelines have emerged following the prevalence of electronic data. These guidelines define standardized implementation methods for physical & logical data destruction techniques such as shredding, incineration, degaussing, data erasure, etc. You can refer to Chapter 3 to understand the various data destruction methods & techniques.

This chapter of our knowledge series provides comprehensive insights into the leading data destruction guidelines and standards, as follows:

1.NIST SP 800:88
NIST SP 800:881 , first published in 2006, is one among the most well-known and followed media sanitization guidelines in the world today. Its first revision, released in 2014, defines three methods of media sanitization to attain data destruction, namely Clear, Purge, and Destroy. These methods can effectively destroy the data stored on magnetic, flash, and optical media and span devices such as hard drives, SSDs, mobile devices, diskettes, memory cards, tapes, point-of-sale devices, networking devices, IOT devices, printers, etc.

  • NIST Clear: The Clear method is based on overwriting the existing information in all user-addressable memory locations on a media using standard Read/Write commands. It rewrites the existing data with a new value such that it is destroyed forever and protected against non-invasive data recovery techniques. Factory reset of devices is also considered as Clear method where overwriting is not possible. Read More.
  • NIST Purge: The Purge method employs techniques such as Overwriting, Block Erase, and Cryptographic Erase that use specific commands and media-specific mechanisms for data destruction. The block erasure technique is used for sanitizing solid-state drives by using vendor-unique commands that increase the voltage levels on the memory blocks and suddenly drop them to zero to erase the data electronically. Cryptographic erasure wipes the Media Encryption Key (MEK) of self-encrypting drives (SEDs), turning the data into ciphertext, i.e., encrypted information, unreadable without the decryption key. Read More.
  • NIST Destroy: This method employs several techniques, such as shredding, disintegration, melting, incineration, etc., to destroy the storage media physically. The underlying data is permanently destroyed as a result.

Suggested reading: Use of NIST 800-88 Standard for Drive Erasure

NIST SP 800-88 Media Sanitization Matrix

Storage Media

Clear

Purge

Destroy

Paper and microforms

NA

NA

Shred using cross cut shredders

Copier, printer, fax machine

Device reset

Use hardware or firmware specific techniques such as rewriting, block erasure, or cryptographic erasure

Use standard physical destruction methods2

  • Shred
  • Disintegrate
  • Pulverize
  • Incinerate

Routers and Switches

Full factory reset as per OEM settings

NA

Use standard physical destruction methods

Floppies

Overwrite and verify

Degauss

Incinerate

Magnetic Disks

Overwrite and verify

Degauss

Incinerate

Reel and Cassette Format Magnetic Tapes

Rerecord (Overwrite)

Degauss

Incinerate

ATA and SCSI Hard Disk Drives. Also applicable to local external HDDs.

Overwrite and verify

Use any of these methods:

  • Overwrite EXT command 
  • Cryptographic Erase
  • Use SECURE ERASE command
  • Degauss

Use standard physical destruction methods

ATA Solid State Drives

Overwrite and verify
OR,
ATA SECURITY ERASE UNIT command, if supported

  • Block Erase
  • Cryptographic Erase through the TCG Opal SSC or Enterprise SSC interface

Use standard physical destruction methods

SCSI Solid State Drives

Overwrite and verify

  • SCSI SANITIZE command
  • Cryptographic Erase

Use standard physical destruction methods

NVM Express SSDs

Overwrite and verify

  • NVM Express Format command
  • Cryptographic Erase

Use standard physical destruction methods

Mobile devices
(iOS® and Android® devices)

Erase all contents using Factory Reset OR,
Overwrite and verify

eMMC Secure Erase or
Secure Trim command for factory reset OR,
Cryptographic erase

Use standard physical destruction methods

USB Removable Media and Memory Cards

Overwrite and verify

Not supported

Use standard physical destruction methods

Embedded Flash Memory

Reset to original factory settings

Not supported

Use standard physical destruction methods

DRAM3

Not supported

Remove the DRAM from the device after switching off the power.

  • Shred
  • Disintegrate
  • Pulverize

EAPROM4

Not supported

Full chip purge as per OEM datasheet

  • Shred
  • Disintegrate
  • Pulverize

EEPROM5

Overwrite and verify

Not supported

Use standard physical destruction methods

Optical Media

Not supported

Not supported

  • Shred
  • Disintegrate
  • Incinerate

2. DoD 5220.22-M
The DoD 5220.22-M standard or US DoD data wipe method is another widely followed data destruction standard. It was released by the U.S. Department of Defense (DoD) in the National Industrial Security Program Operating Manual (also known as NISPOM or Department of Defense document #5220.22-M).

It defines a set procedure for erasing the data on addressable memory locations with specific binary patterns, including zeroes, ones, and a random bit pattern. The standard involves a three-pass overwriting process with verification after completing each pass, as follows:

Pass 1: Overwrites all addressable memory locations with binary zeroes
Pass 2: Overwrites all locations with binary ones
Pass 3: Overwrites with a random bit pattern The final overwrite pass is verified.

In 2001, DoD published the DoD 5220.22-M ECE method, a 7-pass version of the original standard. It runs DoD 5220.22-M twice and an extra pass (DoD 5220.22-M (C) Standard) in between.

Pass 1: Overwrites with binary zeroes
Pass 2: Overwrites using binary ones
Pass 3: Overwrites with a random bit pattern
Passes 4 & 5: Same as Pass 1
Pass 6: Overwrites with binary ones
Pass 7: Overwrites with a random bit pattern
              Verifies the final overwrite pass.

The DoD 5220.22-M is favored for its efficiency and reliability for erasing hard disk drives. However, it is not recommended to destroy the data stored on flash memory-based storage media due to their complex data storage mechanism. Also, the NISPOM guideline since 2019 specifies NIST SP 800-88 as the main guideline for media sanitization.

Further readingUse of the DoD 5220.22-M Standard for Drive Erasure

DoD 5220.22-M Clearing and Sanitization Matrix

Storage Media

Clear

Sanitize

Magnetic Tape

Degauss

Degauss or destroy6

Magnetic Disk

Degauss or overwrite

Degauss, destroy, or overwrite

Optical Disk

Overwrite7

Destroy

DRAM

Overwrite or remove all power

Overwrite, remove all power, or destroy

EAPROM/EEPROM

Full chip erase8

Overwrite or destroy

Flash EPROM

Full chip erase

Overwrite then full chip erase or destroy

Programmable ROM (PROM)

Overwrite

Destroy

Nonvolatile RAM (NOVRAM)

Overwrite or remove all power

Overwrite, remove all power, or destroy


Source: DoD 5220.22-M Clearing and Sanitization Matrix

3. HMG Infosec Standard 5
The HMG IS5 is the British Government’s data destruction standard, which is a part of IT security guidelines defined in the National Cyber Security Centre (NCSC). Originally in NCSC ASSURED SERVICE CAS SERVICE REQUIREMENT SANITISATION version 2.1, HMG IS5 v5.0 mandates “companies to sanitize media in line with the new Classification Scheme.”

It is based on overwriting the storage media thrice with binary patterns, namely zeros, ones, and a random character. However, it verifies the overwriting only after the third pass is completed. There are two variants of the HMG IS5 standard viz. Baseline and Enhanced, as follows:

HMG IS5 “Baseline” Standard 
Pass 1: Overwrites using a zero, & verifies the overwrite pass

HMG IS5 “Enhanced” Standard
Pass 1: Overwrites with a zero

Pass 2: Overwrites with one, & verifies the overwrite pass

4. RCMP TSSIT OPS-II
Royal Canadian Mounted Police Technical Security Standard for Information Technology (RCMP TSSIT) lays down the administrative, technical, and procedural precautions for implementing the requirements of the "Security Policy of the Government of Canada" (GSP).

Appendix OPS-II of RCMP TSSIT defines the following media sanitization guidelines for the different types of storage media:

  • Removable magnetic media – tapes, cartridges, and disks should be sanitized by passing them through an approved bulk eraser or tape degausser.
  • Non-removable magnetic media – disks and disk packs should be overwritten with alternating patterns of binary 1s and 0s through six passes followed by a random character in the seventh pass and verification.
  • Magnetic memory – Magnetic core memory should be overwritten 1000 times with alternating patterns of 0s and 1s. EPROM should be physical destroyed unless they are reused within the same environment.
  • Optical media – Disks and CD-ROM must be physically destroyed.

Other Global Data Destruction Standards

Aside from the above universally accepted standards, there are several more standards outlined in the below table, as follows:

Standard

Origin

Description

Passes

Schneier Method

Bruce Schneier – American Cryptographer and computer security expert

The Schneier method uses multiple passes of zeros, ones, and random characters to overwrite and destroy the data.

Total 7 passes

Pass 1: Writes a 1

Pass 2: Writes a 0

Pass 3–7: Writes random characters

NCSC-TG-025

US National Security Agency

The NCSC-TG-025 method uses zeros and a random character for overwriting the storage media. It verifies the overwrite process after every pass.

Total 3 passes

Pass 1: Writes a 0 and verifies

Pass 2: Writes a 1 and verifies

Pass 3: Writes a random character and verifies

NAVSO P-5239-26

US Navy

The NAVSO P-5239-26 method for data destruction involves overwriting the storage media with a specified character, its complement, and a random character. It verifies the overwriting after all the passes are completed.

Total 3 passes

Pass 1: Writes a specified character like 0

Pass 2: Writes the complement of the specified character like 1

Pass 3: Writes a random character and verifies

Pfitzner Method

Roy Pfitzner

The standard Pfitzner method overwrites the storage media with 33 passes of a random character.

However, some modifications of the method use a smaller number of passes.

Total 33 passes

Pass 1–33: Writes a random character.

AFSSI-5020

US Air Force

The AFSSI-5020 method overwrites the media using ones, zeros, and a random character and verifies the process after all the passes are over.

Total 3 passes

Pass 1: Writes a 0

Pass 2: Writes a 1

Pass 3: Writes a random character and verifies

AR 380–19

US Army

The AR 380–19 method also involves a three pass overwriting process. However, it overwrites the media using a random character, a specified character (like 1), and its complement.

It verifies the process after all the passes are completed.

Total 3 passes

Pass 1: Writes a random character
Pass 2: Writes a specified character
Pass 3: Writes the complement of the specified character and verifies

 

VSITR Method

Germany

The VSITR method uses a combination of zeros, ones, and random character to overwrite the storage media through several passes. VSITR does not perform verification.

Total 7 passes

Pass 1: Writes a 0

Pass 2: Writes a 1

Pass 3: Writes a 0

Pass 4: Writes a 1

Pass 5: Writes a 0

Pass 6: Writes a 1

Pass 7: Writes a random character

GOST R 50739-95

Russia

The GOST R 50739-95 method is more straightforward than the other methods outlined so far.

It uses either a single pass or two passes to overwrite the media using zero or zero and a random character. GOST R 50739-95 does not perform verification.

Total 1 or 2 passes

Version1

Pass 1: Writes a 0
Pass 2: Writes a random character

Version 2
Pass 1: Writes a random character

Peter Gutmann

Method

Peter Gutmann – Computer Scientist, New Zealand

The Peter Gutmann method uses an intricate overwriting pattern for data destruction. It can perform up to 35 passes of random characters and complex patterns for overwriting.

Total 35 passes

Pass 1–4 and Pass 32–35: Random characters

Pass 5–31: Random patterns

CSEC ITSG-06

Canada

The CSEC ITSG-06 method uses ones or zeroes, a complement, and a random character to overwrite the data. The method verifies the process after all the passes are completed.

Total 3 passes

Pass 1: Writes a 1 or 0

Pass 2: Writes the complement

Pass 3: Writes a random character and verifies


Choosing a Data Destruction Standard: Key Considerations

There are numerous data destruction standards, and choosing one for your organization could be daunting considering their specifications, media sanitization scope, acceptance & prevalence, etc. You may tend to compare these standards on parameters like the number of passes, characters used, overwriting techniques, etc., to determine suitability. Or, consider adopting more than one standard to maximize the effectiveness & scope based on your company’s needs. However, these approaches might not help you make an optimal choice and increase the operational complexity and efforts considering factors like overlaps in the overwriting passes and implementation method. The key considerations for shortlisting a data destruction standard should be based on the following parameters:

1.    Media sanitization scope: the types of storage media sanitized using the standard. Broader scope allows comprehensive application and is therefore considered better. For example, NIST SP 800-88 covers virtually all types of storage media, ranging from paper, film, reel, tape, diskette, hard disk drive, and networking devices to SSD, volatile memory, smartphones, embedded storage, etc.

2.    Efficiency & effectiveness: how quickly the standard allows overwriting the storage media for permanent data destruction. The efficiency of a data destruction standard is directly proportionate to the number of overwriting passes & verification, but it could also depend on the tool or method used to execute the passes. For example, NIST SP 800-88 clear and purge methods can be implemented in a single pass using an overwriting software tool or read/write commands. In contrast, DoD 5220.22-M includes 3–7 passes, and the Pfitzner method involves 33 passes!

3.    Acceptance & prevalence: general adoption and use of a standard to meet the regulatory norms for data protection. Higher adoption of a standard could imply that it meets the requirements of most entities and is compliant with the applicable global, local, and sectoral laws. For example, the NIST SP 800-88 Guideline for Media Sanitization is the most preferred standard by the US federal government. It can also meet the requirements of the “right to erasure” or “right to be forgotten” provisions in GDPR and the “right to delete” provision in CCPA.

Conclusion

Effective implementation of a data destruction policy requires systematic execution of the various methods that constitute its core. To this effect, data destruction standards provide the necessary guidance and technical procedures to sanitize data storage media. They also play a crucial role in synergizing the outcomes vis-à-vis the globally accepted norms for compliance with data protection regulations. This chapter shared insights on a vast number of data destruction guidelines and standards, including the prominent ones such as NIST SP 800-88, DOD 5220.22-M, HMG IS5, RCMP TSSIT, etc.

 A key takeaway for organizations adopting a data destruction standard is to assess the nitty-gritty, such as the number of overwriting passes, verification method, and global acceptance in the context of regulations such as GDPR, etc. In recent years, NIST SP 800-88 has emerged as one of the leading data destruction standards considering its broad media sanitization scope, up-to-date guidelines, and widespread industrial adoption.

After you adopt a standard and pan out your policy implementation, we advise considering data destruction best practices to derive the best outcomes. Please read the next chapter of our knowledge series to get insights into the best practices for effective and consistent data destruction.  Coming Soon!


1 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
2 Standard physical destruction methods include Shredding, Disintegration, Pulverization, Incineration
3 DRAM - Dynamic Random Access Memory
4 EAPROM - Electronically Alterable PROM
5 EEPROM - Electronically Erasable PROM
6 Disintegrate, incinerate, pulverize, shred, or melt.
7 Overwrite all addressable locations with a single character or a single character with complement and random character and verify.
8 Full chip erase as per the manufacturer’s datasheets.

WANT TO KNOW MORE

Don't Just Delete ! Securely Erase & Be Safe !

  • Captcha*
  • 2+9
  • =