Your Basket is Empty
US Government Degaussing Regulations
An abundant list of regulations and legislative acts exist that require users to protect classified or sensitive data from being released outside of their control. Sifting through this material and understanding what is required of you can be a daunting task. The following list of regulations and acts provide you with a well rounded base to understanding what is required and remove the guess work often associated with media sanitisation.
THE NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE NSA/CSS POLICY MANUAL 9-12 provides guidance for clearing, sanitisation, declassification, and release of information on Information Systems storage devices.
The following excerpts are taken from the NSA/CSS Policy Manual 9-12:
MAGNETIC STORAGE DEVICE PROCEDURES
Reel and Cassette Format Magnetic Tapes
Sanitisation: Sanitise magnetic tapes in accordance with either of the following procedures. Remove all labels or markings that indicate previous use or classification.
Degaussing: Degauss using a NSA/CSS approved degausser.
Magnetic Disks: Magnetic disks include hard disk drives, floppy disks, diskettes, and disk packs.
Hard Disk Drives
Sanitisation: Sanitise hard disk drives by either erasing the hard disk drive in a NSA/CSS approved automatic degausser, by disassembling the hard disk drive and erasing the enclosed platters with a NSA/CSS approved degaussing wand, or incineration. It is also highly recommended that the hard disk drive be physically damaged prior to release. Remove all labels or markings that indicate previous use or classification.
Sanitisation with Automatic Degausser: 1) Remove the hard disk drive from the chassis or cabinet; 2) remove any steel shielding materials or mounting brackets which may interfere with magnetic fields; 3) place the hard disk drive in a NSA/CSS approved degausser and erase.
NOTE: Erasure of hard disk drives will cause damage (i.e., loss of timing tracks and damage to disk drive motor) that will prohibit its continued use.
THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY SPECIAL PUBLICATION 800-88 GUIDELINES FOR MEDIA SANITIZATION
The National Institute of Standards and Technology (NIST) Special Publication 800-88 Guidelines for Media Sanitization will assist organizations in implementing a media sanitisation program with proper and applicable techniques and controls for sanitisation and disposal decisions, considering the security categorisation of the associated system’s confidentiality.
The following excerpts are taken from the NIST SP800-88 Guidelines for Media Sanitization
The National Institute of Standards and Technology (NIST) developed this guide in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347.
NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all federal agency operations and assets…
Purpose and Scope
The information security concern regarding information disposal and media sanitization resides not in the media but in the recorded information. The issue of media disposal and sanitization is driven by the information placed intentionally or unintentionally on the media. With the advanced features of today’s operating systems, electronic media used on a system should be assumed to contain information commensurate with the security categorization of the system’s confidentiality. If not handled properly, release of these media could lead to an occurrence of unauthorized disclosure of information…
The Gramm-Leach-Bliley (GLB) Act
Many financial institutions collect personal information from their customers, such as their names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. The Gramm-Leach-Bliley (GLB) Act requires financial institutions to ensure the security and confidentiality of this type of information.
As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) has issued the Safeguards Rule. This Rule requires financial institutions under FTC jurisdiction to secure customer records and information, and to train employees to take basic steps to maintain the security, confidentiality and integrity of customer information.
Here are some suggestions on how to maintain security throughout the life cycle of customer information that is, from data entry to data disposal:
Shred or recycle customer information recorded on paper and store it in a secure area until a recycling service picks it up;
Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contain customer information;
Effectively destroy the hardware; and promptly dispose of outdated customer information.
Health Insurance Portability and Accountability Act (HIPAA)
The Final Rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register on February 20, 2003. This Final Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information.
The requirements and implementation features for Device and media controls are presented at § 164.310 (d) of this rule. The following depicts the requirements and implementation features for the Device and media controls category.
STANDARD: DEVICE AND MEDIA CONTROLS
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility and the movement of these items within the facility.
Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
Media re-use (Required)
Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
Data backup and storage (Addressable)
Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment