CSO

his policy quoted is a perfect example of well intentioned guidance that cites outdated practices. It is clear that the intention of the policy is to assure the sanitization of storage hardware using recognized sanitization practice. However, in this case DoD 5220-22-M is an often quoted spec that has long been considered out of date by both public and private sector security practitioners.

Despite updates by the DoD directing those seeking guidance on data destruction to other sources of guidance such as the NIST 800-88, many continue to reference DoD 5220-22-M as the holy grail. In many cases, this is due to ignorance of more current practice that is more effective than the practice prescribed in DoD 5220-22-M. Yet, in other cases it is a matter of convenience. Such would be the case of software developers who might prefer to avert attention to the fact that the software based overwrite utilities that they produce will only achieve clear level sanitization despite being DoD 5220-22-M compliant.

fact is, clear level processes are vulnerable to laboratory data recovery efforts, and this level of protection may not accommodate the security concerns of those who are accountable for the protection of pii or other confidential information.

With more concern for the protection of digital assets, the need for effective protection methods using practices that adequately protects us from current risks requires that the policies we put in place are not done so blindly, and respect up to date guidance. Albeit, locating and researching what constitutes current and valid guidance is not always easy to find.

Having faced this challenge while researching what constitutes proper guidance for handling end of life hard drives I had prepared a guide in conjunction with Dr. Gordon hughes of the Center fpr Magnetic Recording Research at the UCSD titles 'The Best Practices for the Destruction of Digital Data'. This guide is based on a survey of current guidance available from Academic, Government, and commercial sources, and includes comments and validation by a variety of respected professionals. The ultimate result is a guide that presents the concepts of hard drive operation, considerations for data classification, the handling of end of life data per class level, technical handling considerations of various types of hard drives, and the policy considerations for creating policy that adequately addresses the destruction of end of life data in your environment. Essentially, we sorted out the bad from the good, and validated the concepts.

The guide is currently available at no charge, on request, for personal use to anyone interested by e-mailing me at ryk@converge-net.com This guide is not a commercial work and is not sponsored by any vendor, and is not a product pitch. It is unbiased information formulated to make your job easier.

This policy quoted is a perfect example of well intentioned guidance that cites outdated practices. It is clear that the intention of the policy is to assure the sanitization of storage hardware using recognized sanitization practice. However, in this case DoD 5220-22-M is an often quoted spec that has long been considered out of date by both public and private sector security practitioners.

Despite updates by the DoD directing those seeking guidance on data destruction to other sources of guidance such as the NIST 800-88, many continue to reference DoD 5220-22-M as the holy grail. In many cases, this is due to ignorance of more current practice that is more effective than the practice prescribed in DoD 5220-22-M. Yet, in other cases it is a matter of convenience. Such would be the case of software developers who might prefer to avert attention to the fact that the software based overwrite utilities that they produce will only achieve clear level sanitization despite being DoD 5220-22-M compliant.

fact is, clear level processes are vulnerable to laboratory data recovery efforts, and this level of protection may not accommodate the security concerns of those who are accountable for the protection of pii or other confidential information.

With more concern for the protection of digital assets, the need for effective protection methods using practices that adequately protects us from current risks requires that the policies we put in place are not done so blindly, and respect up to date guidance. Albeit, locating and researching what constitutes current and valid guidance is not always easy to find.

Having faced this challenge while researching what constitutes proper guidance for handling end of life hard drives I had prepared a guide in conjunction with Dr. Gordon hughes of the Center fpr Magnetic Recording Research at the UCSD titles 'The Best Practices for the Destruction of Digital Data'. This guide is based on a survey of current guidance available from Academic, Government, and commercial sources, and includes comments and validation by a variety of respected professionals. The ultimate result is a guide that presents the concepts of hard drive operation, considerations for data classification, the handling of end of life data per class level, technical handling considerations of various types of hard drives, and the policy considerations for creating policy that adequately addresses the destruction of end of life data in your environment. Essentially, we sorted out the bad from the good, and validated the concepts.

The guide is currently available at no charge, on request, for personal use to anyone interested by e-mailing me at ryk@converge-net.com This guide is not a commercial work and is not sponsored by any vendor, and is not a product pitch. It is unbiased information formulated to make your job easier.