CSL BULLETIN Advising users on computer systems technology October 1992 DISPOSITION OF SENSITIVE AUTOMATED INFORMATION This CSL Bulletin discusses the sanitization of magnetic media used to store sensitive information and supplements FIRMR Bulletin C-22 on the security and privacy of federal information processing resources, issued by the General Services Administration on September 18, 1992. Sanitization means the removal of data from storage media so that, for all practical purposes, the data cannot be retrieved. Some instances in which sanitization must be considered include whenever media is transferred from one organization to another, when equipment is declared surplus, and when organizations dispose of media. Much of the information in this CSL Bulletin was drawn from the National Computer Security Center's A Guide to Understanding Data Remanence in Automated Information Systems, (NCSC-TG-025, Library No. S-236,082, Version 2) which provides specific technical guidance. Sanitization: Why Be Concerned? In the past, reports have surfaced that federal agencies have disposed of surplus information technology (IT) equipment without taking appropriate measures to erase the information stored on the system's media. This can lead to the disclosure of sensitive information, embarrassment to the agency, costly investigations, and other consequences which could have been avoided. Sharing of media within the government or between government and contractors also presents security issues. For example, IT equipment is sometimes transferred between offices without first removing sensitive files. Diskettes may be used to transfer documents or data files (e.g., for time and attendance reporting) between offices with little concern for the other information which may reside on the diskette. Employees throw away old diskettes believing that "erasing" the files on the diskette has made the data unretrievable. In reality, however, "erasing" a file simply removes the "pointer" to that file. The pointer tells the computer where the file is physically stored on the disk. Without this pointer, the files will not appear on a directory listing of the diskette's files. This does not mean that the file was removed from the diskette. (Commonly available utility programs can often retrieve information that is presumed "deleted.") Fortunately, with foresight and appropriate planning, these situations can be avoided. Specific Agency Policies FIRMR Bulletin C-22 states that federal agencies must establish policies and procedures to ensure the proper disposition of sensitive automated information. Some factors to be considered in developing agency policies are: o Magnetic media may be exposed to unauthorized access at various times in the system life cycle. When are exposures most likely to occur? How do these exposures occur? What types of data are at risk? What procedures are appropriate for disposal of media for the agency's specific operating environment? o Contractors typically use their IT systems to process information owned by a federal agency. Are policies or contractual mechanisms in place to adequately protect this information? Contractors must be aware of the importance of implementing appropriate sanitization policies and procedures. Binding contractual provisions to ensure the protection of the agency's information are often appropriate. o The agency's computer security training and awareness program can be an effective mechanism to address media disposal and sanitization issues. Users require specific guidance and a source of answers to their questions. o Does the agency lease equipment? If so, leased equipment used to process sensitive information should not be returned to the vendor unless the media is sanitized. Techniques for Media Sanitization Three techniques are commonly used for media sanitization: overwriting, degaussing, and destruction. Overwriting and degaussing are the methods recommended for disposition of sensitive automated information. (Users of classified systems may also have to be concerned with data remanence. This refers to the residual information left behind once media has been in some way erased.) Security officers should be consulted for appropriate guidance. Overwriting Overwriting is an effective method of clearing data from magnetic media. As the name implies, overwriting utilizes a program to write (1s, 0s, or a combination of both) onto the location of the media where the file to be sanitized is located. The number of times that media is overwritten depends on the level of sensitivity of the information. Overwriting should not be confused with merely deleting the pointer to a file, as discussed above. Of course, in order for overwriting to be used, the media must be in working order; for example, overwriting may not be used on a disk which has suffered a head crash nor on a diskette which has had coffee spilled on it. Regular preventative maintenance can help keep drives in working order to minimize head crashes. Many programs are available, particularly for PCs, that have an overwrite function. Although overwriting can be used for clearing magnetic tapes, this method is time-consuming and generally never used. Degaussing, as discussed below, is a better alternative. In the design of sensitive applications, software developers may wish to consider integrating overwrite capability directly into the application. Degaussing Degaussing is a method to magnetically erase data from magnetic media. Two types of degaussers exist: strong magnets and electric degaussers. Degaussers are tested by the Department of Defense; those which meet their requirements are placed on the Degausser Products List (DPL) of the National Security Agency's (NSA) Information Systems Security Products and Services Catalogue. Different types of degaussing magnets are appropriate for varying types of magnetic media; consult the NSA's A Guide to Understanding Data Remanence in Automated Information Systems for details. Note that common magnets (e.g., those used to hang a picture on a wall) are fairly weak and cannot effectively degauss magnetic media. Destruction The final method of sanitization is destruction of the media. NCSC-TG-025 provides specifics on this method and its applicability. Shredding diskettes, after removing the outer protective casing, is also an option for unclassified media. Employee Training and Awareness Most employees who utilize IT systems also use, and in fact are often the custodians of, magnetic media. It is therefore important for agencies to give the issue of media sanitization appropriate attention in the agency computer security training and awareness program. Employees should understand the following essential elements: o Media containing sensitive information should not be released without appropriate sanitization. o File deletion functions (e.g., the DEL command on MS-DOS) usually can be expected to remove only the pointer to a file (i.e., the file is often still recoverable). o When data is removed from storage media, every precaution should be taken to remove duplicate versions that may exist on the same or other storage media, back-up files, temporary files, hidden files, or extended memory. o Media in surplus equipment should be sanitized. Data Remanence A term which often arises during discussions of magnetic media sanitization is "data remanence." Data remanence is the residual magnetic or electrical representation of data that has been in some way erased or overwritten. This residual information may allow data to be reconstructed typically using laborious, time- consuming methods. This usually is a concern only to those processing classified information. For the unclassified community, overwriting of media is usually sufficient to reduce the threat of data reconstruction from data remanence. Often utility overwrite programs contain an option to overwrite the location of the file three times, ensuring that the chance of recovery of the information from data remanence is very remote. Disk Encryption Another approach to solving the problems raised in this bulletin is through the use of integrated encryption technology. This technology uses a device or software which encrypts all data as it is written to the disk. When the user retrieves a file, the data is automatically decrypted for the owner to use. This encryption/decryption process is typically transparent to the user. Should the disk be lost or stolen, no useful data can be retrieved without the legitimate owner's encryption key. Other Technologies While this CSL Bulletin focuses on the need for sanitization of magnetic media, users should be aware that other storage technologies (e.g., optical media, EEPROM, bubble memory, UVPROM) may require special procedures. Security officers should be consulted when such issues arise. References FIRMR Bulletin C-22, Security and Privacy Protection of Federal Information Processing (FIP) Resources, September 18, 1992. Issued by the General Services Administration. NBS Special Publication 500-101, Care and Handling of Computer Magnetic Storage Media, June 1983. A general guide to preservation of data on storage media particularly magnetic tapes and flexible disk cartridges. Available from the National Technical Information Service, Springfield, VA 22161, as PB83- 237271. NCSC-TG-025, A Guide to Understanding Data Remanence in Automated Information Systems, Version 2, September 1991. National Security Agency, Ft. Meade, MD 20755-6000. Degausser Products List of NSA's Information Systems Security Products and Services Catalogue, issued quarterly by the National Security Agency, Ft. Meade, MD 20755-6000.