[ Home | Attachment 1 | Attachment 3 | Attachment 4 | Attachment 5 ] | ||||
Disposition of Computer Hard Drives | ||||
| 1. | Purpose: This attachment provides guidance on sanitization by overwriting, degaussing and destruction of hard drives. Responsible parties may supplement these specifications to meet their operational needs. System users will ensure supplemental instructions to this policy meet with the approval of the responsible authority. Sanitization removes sensitive information from storage media in a manner that gives assurance that the information cannot be recovered by keyboard or laboratory attack. Before the sanitization process begins, the computer should be disconnected from any external network to prevent accidental damage to the network operating system (OS) or other files on the network. In addition, users should audit the sanitizing process to ensure data is no longer retrievable. This means a knowledgeable person should witness the sanitization process and verify that the hard drive was sanitized. | |||
| 2. | Overwriting Hard Drives for Sanitization: Overwriting is an approved method for sanitization of hard disk storage media. Overwriting of data means replacing previously stored data on a drive or disk with a predetermined pattern of meaningless information. This effectively renders the data unrecoverable, but the process must be correctly understood and carefully implemented. Overwriting consists of recording data onto magnetic media by writing a pattern of fluxes or pole changes that represent binary ones (1) and zeros (0). These patterns can then be read back and interpreted as individual bits, 8 of which are used to represent a byte or character. If the data is properly overwritten with a pattern (e.g., "11111111" followed by "00000000") the magnetic fluxes will be physically changed and the drives read/write heads will only detect the new pattern and the previous data will be effectively erased. To purge the hard drive, the state requires overwriting with a pattern, and then its complement, and finally with another pattern (e.g., overwrite first with "00110101 ", followed by "11001010", then "10010111"). Sanitization is not complete until the three overwrite passes and a verification pass are completed. | |||
| 2.1 | Overwriting Software Specifications: The software specifications discussed below are the minimum that responsible parties must apply to overwriting hard drives. Software products and applications not meeting the minimum stated specifications are not acceptable for sanitizing unclassified hard drives. Overwriting software that merely reformats or repartitions a hard drive is not accepted within the scope of this policy. Further, some software products may not run on systems with lower end central processing unit (CPU) chipsets, and may require a minimum of a 386 or greater processor. Software users should verify the compatibility of selected software products with the particular hard disk being sanitized. In addition, some software product versions may not have the capability to remove the OS during the overwriting process. To ensure the integrity of the sanitization process, overwriting software must have the following functions and capabilities: | |||
| 2.1.1 | The ability to purge all data or information, including the OS, from the physical or virtual drives, thereby making it impossible to recover any meaningful data by keyboard or laboratory attack. | |||
| 2.1.2 | A compatibility with, or capability to run independent of, the OS loaded on the hard drive. | |||
| 2.1.3 | A compatibility with, or capability to run independent of, the type of hard drive being sanitized (e.g., ATA/IDE or SCSI type hard drives). | |||
| 2.1.4 | A capability to overwrite the entire hard disk drive independent of any BIOS or firmware capacity limitation that the system may have. | |||
| 2.1.5 | A capability to overwrite using a minimum of three cycles of data patterns on all sectors, blocks, tracks, and slack or unused disk space on the entire hard disk medium. | |||
| 2.1.6 | A method to verify that all data has been removed from the entire hard drive and to view the overwrite pattern. | |||
| 2.1.7 | Although not mandatory, selected software should also: | |||
| 2.1.7.1. | Provide the user with a validation certificate indicating that the overwriting procedure was completed properly. | |||
| 2.1.7.2. | Provide a defects log, or listing of any bad sectors, that could not be overwritten by the software. | |||
| 2.2 | Damaged Hard Disks: A hard disk platter may develop damaged or unusable tracks and sectors. However, sensitive data may have been recorded in areas of the disk that should be purged. If features or malfunctions of the storage media inhibit overwriting, the storage media should be degaussed or destroyed. | |||
| 3. | Degaussing Hard Drives for Sanitization: Degaussing is a process whereby the magnetic media are erased, (i.e., returned to a zero state). Degaussing (demagnetizing) reduces the magnetic flux to virtual zero by applying a reverse magnetizing field. Properly applied, degaussing renders any previously stored data on magnetic media unreadable by keyboard or laboratory attack. | |||
| 3.1 | Degaussing hard drives often destroys the drive's timing tracks and servo motors, and usually demagnetizes the permanent magnets of the spindle motor on sealed (e.g., Winchester) drives, thus they can seldom be used after degaussing. In addition, the process of removing the hard drives from the computer, taking off the hard drive's housing, degaussing and placing the hard drive back into the computer, and testing to ensure it still operates and no longer contains its original data, may make reutilization after degaussing cost ineffective. | |||
| 3.2 | Each type of magnetic media is distinguished by the rate of coercivity required to ensure the medium is brought back to its zero state. Due to the variation of media formats and their corresponding magnetic densities, a correct and effective degaussing process is often difficult to achieve, and it is essential that state responsible parties utilize a degausser with the right coercivity specifications to degauss the target media. Coercivity strength of an applied magnetic field determines which type of degausser should be applied to the particular magnetic media being targeted for sanitization. Higher coercivity rates are usually required to degauss hard disk storage media and many degaussers designed for commercial uses do not have the magnetic energy required to erase media with a higher coercivity rate. | |||
| 3.3 | Degaussing standards and procedures: | |||
| 3.3.1 | Degaussers used on state hard drives, must have a nominal rating of at least 1700 Oersted. | |||
| 3.3.2 | Degaussers must be operated at their full magnetic field strength. | |||
| 3.3.3 | Follow the product manufacturer's directions carefully. Deviations from an approved method or rate of coercivity could leave significant portions of data remaining on a hard drive. | |||
| 3.3.4 | All shielding materials (e.g., castings, cabinets, and mounting brackets), which may interfere with the degausser's magnetic field, must be removed from the hard drive before degaussing. | |||
| 3.3.5 | Hard disk platters must be in a horizontal direction during the degaussing process. | |||
| 3.3.6 | For degaussing hard drives with very high coercivity ratings, it may be necessary to remove the magnetic platters from the hard drive's housing. | |||
| 4. | Physical Destruction Procedures: Hard drives should be destroyed when they are defective or cannot be economically repaired or sanitized for reuse. As an added security measure, when practical, operable hard drives no longer deemed economically viable should be overwritten or degaussed prior to destruction. Physical destruction must be accomplished to an extent that precludes any possible further use of the hard drive. The following are acceptable means for destruction of hard disk storage media: | |||
| 4.1 | Physical destruction/impairment beyond reasonable use: Remove the hard drive from the chassis or cabinet. Remove any steel shielding materials, mounting brackets, and cut any electrical connection to the hard drive unit. In a suitable facility with individuals wearing appropriate safety equipment, subject the hard drive to physical force (e.g., pounding with a sledgehammer) that will disfigure, bend, mangle, or otherwise mutilate the hard drive so that it cannot be re-inserted into a functioning computer. Sufficient force should be used directly on top of the hard drive unit to cause shock/damage to the disk surfaces. In addition, any connectors that interface into the computer must be mangled, bent, or otherwise damaged to the point that the hard drive could not be re-connected without significant rework | |||
| 4.2 | Destruction at an approved metal destruction facility, i.e., smelting, disintegration, or pulverization. | |||