[PDF] Guidelines for Media Sanitization

View - Download Guidelines for Media Sanitization

Previous PDF

Next PDF

NIST Special Publication 800-88

Revision 1

Guidelines for Media Sanitization

Richard Kissel

Andrew Regenscheid

Matthew Scholl

Kevin Stine

This publication is available free of

charge from: http://dx.doi.org/10.6028/NIST.SP. 800
-88r1 C O M P U T E R S E C U R I T Y

NIST Special Publication 800-88

Revision 1

Guidelines for Media Sanitization

Richard Kissel

Andrew Regenscheid

Matthew Scholl

Kevin Stine

Computer Security Division

Information Technology Laboratory

This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP. 800
-88r1

December 2014

U.S. Department of Commerce

Penny Pritzker,

Secretary

National Institute of Standards and Technology

Willie May, Acting Under Secretary of Commerce for Standards and Technology and Acting Director

Authority

This publication has been developed by NIST in accordance with its statutory responsibilities under the

Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. § 3541 et seq., Public Law 107
-347. NIST is responsible for developing information security standards and guidelines, including

minimum requirements for Federal information systems, but such standards and guidelines shall not apply

to national security systems without the express approval of appropriate Federal officials exercising

policy authority over such systems. This guideline is consistent with the requirements of the Office of

Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III, Security of Federal Automated Information Resources.

Nothing in this publication should be taken to contradict the standards and guidelines made mandatory

and binding on Federal agencies by the Secretary of Commerce under statutory authority. Nor should

these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of

Commerce, Director of the OMB,

or any other Federal official.

This publication may be used by

nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States.

Attribution would, however, be appreciated by NIST.

National Institute of Standards and Technology

Special Publication 800

-88 Revision 1

Natl. Inst. Stand. Technol. Spec. Publ. 800

-88 Revision 1, 64 pages (December 2014)

CODEN: NSPUE2

This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800 -88r1

Certain commercial entities, equipment, or materials may be identified in this document in order to describe an

experimental procedure or concept adequately. Such identification is not intended to imply recommenda

tion or

endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best

available for the purpose.

There may be references in this publication to other publications currently under development by NIST in

accordance with its assigned statutory responsibilities. The information in this publication, including concepts and

methodologies, may be used by Federal agencies even before the completion of such companion publications. Thus,

until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain

operative. For planning and transition purposes, Federal agencies may wish to closely follow the development of

these new publications by NIST.

Organizations are

encouraged to review all draft publications during public comment periods and provide feedback

to NIST. All NIST Computer Security Division publications, other than the ones noted above, are available at

http://csrc.nist.gov/publications.

Comments on this publication may be submitted to:

National Institute of Standards and Technology

Attn: Computer Security Division, Information Technology Laboratory

100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 208

99-8930

Email: 800-88r1comments@nist.gov

ii

Reports on

Computer Systems Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technolo gy. ITL's responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in

Federal information system

s. The Special Publication 800 -series reports on ITL's research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations.

Abstract

Media sanitization refers to a process that renders access to target data on the media infeasible for a given level of effort. This guide will assist organizations and system owners in making

practical sanitization decisions based on the categorization of confidentiality of their information.

Keywords

media sanitization; ensuring confidentiality; sanitization tools and methods; media types; mobile devices with storage; crypto erase; secure erase

Acknowledgements

The authors would like to thank

Steven Skolochenko

and Xing Li for their contributions to the original version of this publication . The authors would also like to thank Jim Foti for his exceptional editing skills and thorough review of this document his work made this a much better document. Kudos to each of the individuals and organizations who provided comments on this revision. It is a more accurate and usable document due to their contributions. iii NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization

Executive Summary

The modern storage environment is rapidly evolving. Data may pass through multiple organizations, systems, and storage media in its lifetime. The pervasive nature of data propagation is only increasing as the Internet and data storage systems move towards a distributed cloud-based architecture. As a result, more parties than ever are responsible for effectively sanitizing media and the potential is substantial for sensitive data to be collected and retained on the media. This responsibility is not limited to those organizations that are the originators or final resting places of sensitive data, but also intermediaries who transiently store or process the information along the way. The efficient and effective management of information from inception through disposition is the responsibility of all those who have handled the data. The application of sophisticated access controls and encryption help reduce the likelihood that an attacker can gain direct ac cess to sensitive information.

As a result, parties attempting to obtain

sensitive information may seek to focus their efforts on alternative access means such as retrieving residual data on media that has left an organization without sufficient sanitizati on effort having been applied. Consequently, the application of effective sanitization techniques and tracking of storage media are critical aspects of ensuring that sensitive data is effectively protected by an organization against unauthorized disclosure. Protection of information is paramount.

That information may be on paper, optical,

electronic or magnetic media. An organization may choose to dispose of media by charitable donation, internal or external transfer, or by recycling it in accordance with applicable laws and regulations if the media is obsolete or no longer usable. Even internal transfers require increased scrutiny, as legal and ethical obligations make it more important than ever to protect data such as Personally Identifiable Information (PII). No matter what the final intended destination of the media is, it is important that the organization ensure that no easily re-constructible residual representation of the data is stored on the media after it has left the control of the organization or is no longer going to be protected at the confidentiality categorization of the data sto red on the media. Sanitization refers to a process that renders access to target data on the media infeasible for a given level of effort. This guide will assist organizations and system owners in making practical sanitization decisions based on the categorization of confidentiality of their information. It does not, and cannot, specifically address all known types of media; however, the described sanitization decision process can be applied universally.quotesdbs_dbs7.pdfusesText_5

[PDF] nsclient 12489

[PDF] nsclient web 403 your not allowed

[PDF] nsclient web ui 403 your not allowed

[PDF] nsclient++ reload

[PDF] nse cyber security

[PDF] nsw psc flexible working case studies

[PDF] nth partial sum of fourier series

[PDF] nüfus cüzdan? sureti e devlet

[PDF] number of fast food restaurants in france

[PDF] numbering equations in latex

[PDF] numeri in francese da 1 a 10

[PDF] numerical methods for constrained optimization

[PDF] numero de france bleu nord

[PDF] numero de telefono paris puerto montt

[PDF] numero département de naissance france