A Guide to Destroying Data – When Shredding Isn’t Enough

January 10, 2023

For the modern business leader, it's important to know exactly where their organisation's confidential information is being stored - especially when crucial company data is involved. As a CISO/CEO, you are as responsible for securing valuable info and safely storing it away as in making sure that your other measures of security stay up-to-date. With technology becoming increasingly portable the risk of lost data is increased. In this article, we'll explore some of the secure destruction techniques you can use to properly protect your companies important information

An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information. —NIST 800-88, Rev.1, “Background”

When storing important information on media, such as USB Drives, Hard Drives or Solid State Devices - secure destruction is essential. Proper sanitation of these devices before they are discarded should be taken to ensure your data remains safe and protected.

Hard Drives - Organisations looking to securely dispose of data stored on hard disks drives should consider a range of methods depending on the desired outcomes. Clearing can remove sensitive information from devices too be reused inside an organization, while digital shredding or wiping overwrites existing content with new characters like 1 and 0 for maximum protection. Degaussing uses magnetic fields to alter storage structures which renders them unusable, although ultimate security may require physical destruction techniques such as crushing or incineration for complete assurance against recovery attempts.

Solid State Drives - Keep your data safe and secure with the right strategies for SSD disposal. For internal reuse, use built-in sanitization commands to render information inaccessible. To ensure that device data can never be recovered again, opt for physical destruction. Note: when outsourcing these services to third parties, select a provider who meets applicable standards related to successful and reliable data destruction processes

Each type of device requires different techniques to be applied.

Different approach for each device type

How to Securely Destroy Hard Drives

When it comes to securely destructing data or securely disposing of data on hard disk drives (HDDs), or the physical location where the data is stored, consider using the following methods:

1. Clearing: Clearing removes data in such a way that prevents an end-user from easily recovering it. This method is suitable for reusing devices inside your organization.

2.  Digital Shredding or Wiping: This method does not alter the physical asset. Instead, it overwrites data with other characters like 1 or 0 and random characters with multiple passes (e.g. DoD 5220.22-M algorithm).

3. Degaussing: Degaussing uses a strong magnetic field to rearrange the structure of the HDD. Once the HDD is degaussed, it can no longer be used.

4. Physical Destruction: This method ensures the secure disposal and destruction of HDDs as they are hydraulically crushed or mechanically shredded, so that data can never be retrieved or reconstructed.

How to Securely Destroy Solid State Drives

For secure data destruction and secure data disposal of data found on solid state drives (SSDs), or the virtual location the data is stored, consider using the following methods:

1.  Built-In Sanitization Commands: This method is effective if the device is to be reused within the organization.

2.  Physical Destruction or Encryption: Using this method is the only true way to ensure device data cannot be recovered.

To outsource this service to a third-party use a reputable provide who meets the standards required to destroy the type of information you require to be securely destroyed.

Selecting a certified third party who can provide destruction services.

For further help on selecting a third party provider have a look at provider certifications on the i-SIGMA website.

Who is i-SIGMA?

i-SIGMA offers free ongoing service provider monitoring of vendors handling regulated, sensitive information.

The International Secure Information Governance & Management AssociationTM (i-SIGMA®) is the industry trade association for secure data destruction and records & information management service providers. i-SIGMA enforces standards and ethical compliance for approximately 2,500 service providers on six continents and currently maintains the most rigorous and widely accepted data-security vendor-compliance certifications, NAID AAA Certification® and PRISM Privacy+ Certification®, with hundreds of governments and thousands of private contracts using the programs to meet their regulatory due diligence requirements

Sign up at i-Sigma for free compliance reports about your chosen secure destruction provider.

For further information about secure destruction standards and advice refer to the Australian Governments Media Guideline.

Before you go and throw away all of your old USB drives, make sure you properly sanitise them first. If not, you run the risk of someone accessing important information that could be used against you or your company. While it may seem like a pain to have to go through this process, it's much better than the alternative.  InfoSecAssure can help make this process easier for you with our helpful templates. So before you toss out those old devices, be sure to subscribe to us first!

Secure your business.

"assurance"

confidence or certainty in one's own abilities.

“The business has given us assurance that they have security in place to protect our information”

Our Difference

Established and lead by industry experts.

At the helm of our privately owned, global RegTech firm are industry experts who understand that security controls should never get in the way of business growth. We empower companies large and small to remain resilient against potential threats with easily accessible software solutions for implementing information security governance, risk or compliance measures.

We support businesses every step of the way.

We don't just throw a bunch of standards at you and let you try and figure it out! We have designed a thoughtful way of supporting all businesses consider, articulate and develop security controls that suit the needs of the organisation and provide clever reporting capability to allow insights and outcomes from security assessments to be leveraged by the business and shared with third parties.

Our customers are the heart of our company.

Our platform places customers at the heart of our design process, while providing access to expert knowledge. With simple navigation and tangible results, we guarantee that all data is securely encrypted at-rest and in transit with no exceptions – meeting international standards with annual security penetration testing and ISO 27001 Certification.