Everything You Need to Know about ITAD Certifications
This is part five of our Certifications 101 series. Over the last five weeks, we have posted a new part weekly covering the major certifications and standards related to the ITAD industry. We hope to provide you with a comprehensive understanding of each certification and standard so you can make informed decisions about your organization’s asset disposition process. Read on to find out more about NIST 800-88.
- Part One: R2 Responsible Recycling
- Part Two: e-Stewards
- Part Three: ISO 9001, 14001, 27001 & 45001
- Part Four: NAID AAA
- Part Five: NIST 800-88
What is NIST 800-88?
NIST Special Publication 800-88 “Guidelines for Media Sanitization” (NIST 800-88) are voluntary guidelines published by the National Institute of Standards and Technology (NIST) that provide a set of best practices for data destruction processes and techniques for secure disposal of information. These guidelines aim to protect sensitive data from unauthorized disclosure. They are meant to apply to all media types and storage technologies, from hard drives and servers to USB drives to future technologies.
NIST 800-88 is one of the most widely used data sanitization standards and has been adopted by many federal and private organizations. NIST 800-88 may be particularly important for organizations that are subject to data security and privacy laws and regulations such as HIPAA and FACTA. For example, compliance with NIST 800-88 can be used to support an organization’s requirements under both HIPAA and FISMA.
Although an organization cannot obtain certification to NIST 800-88, data destruction vendors often confirm their compliance with NIST 800-88 guidelines.
NIST 800-88 Requirements
NIST 800-88 specifies three acceptable ways to sanitize data: clear, purge, or destroy. It describes the purpose of each method and describes how each method should be performed.
- Clearing data protects the confidentiality of information against a robust keyboard attack. NIST 800-88 specifies that simply deleting items is not sufficient to clear data. However, overwriting would be an acceptable method.
- Purging data protects the confidentiality of information against data recovery attempts on media outside their normal operating environment. NIST 800-88 specifies that degaussing is one example of a method for purging. Degaussing means that the media is exposed to a strong magnetic field in order to disrupt the recorded magnetic domains.
- Destroying data is the ultimate form of sanitization. NIST 800-88 specifies that destruction can be performed by pulverizing, shredding, melting, or other methods.
To determine which method of sanitization should be used, the data stored on the media must be analyzed to determine its confidentiality requirements. For example, if the data is categorized as low security, and is remaining in control of the organization, clearing may be sufficient. However, if that data is leaving the control of the organization, then purging should be used. On the other hand, if the data is categorized as high security and is leaving the control of the organization, it should be destroyed.
A cost versus benefit analysis is also recommended prior to making a final decision about the method to use. For example, depending on the media type, it may be more cost-effective to destroy media rather than sanitize it using another method. However, if the media is planned for reuse or recycling, destruction may not be the preferred method.
As part of the best practices, NIST 800-88 requires verification that sanitization has properly occurred and details different verification methods. NIST 800-88 considers verification an essential step in the sanitization process. It recommends that a representative sampling of media be tested to determine that it has been properly sanitized. Personnel without any stake in the process should conduct the verification.
NIST 800-88 Certificates of Destruction
NIST guidelines recommend that a certificate of media disposition be completed for each piece of media that has been sanitized. Organizations should maintain these certificates for their records. For heavily regulated industries, a certificate of media disposition or other documentation may be necessary for auditing purposes to show that the organization complied with their industry-related data security regulations.
Why is NIST 800-88 Important?
If your organization is in the healthcare or financial industries, or deals with protected health information (PHI), consumers’ non-public personal information (NPI), or personally identifiable information (PII), NIST compliance may be particularly important to you and your industry’s data security regulations (for example, HIPPA, GLBA, IRS Publication 1075).
Even if your industry does not involve working with PHI, NPI, or PII, your equipment likely contains confidential or sensitive data from customers, business partners, or employees that must be protected from unauthorized disclosure.
Improper sanitization of data can lead to dire consequences for your organization, such as data breaches, lawsuits, penalties, and loss of reputation. The average total cost of remedying a data breach is $3.86 million. That amount is even higher – $7.13 million – if you are in the healthcare industry. By ensuring that your data has been properly sanitized in accordance with NIST 800-88, your organization can protect itself from these costly outcomes.
Choosing a Provider Compliant with NIST 800-88
Choosing an ITAD provider is fraught with risk. Dispoteca helps minimize that risk by ensuring that your equipment only goes to resellers or recyclers with your preferred certifications. Dispoteca’s unique credentialing system tracks certifications and verifies that they are valid and current. If you are a business or organization that has ITAD needs, contact Dispoteca to get started on your ITAD project today.