Determining an Enterprise-Class Data Erasure Strategy Print

There are several components that comprise an effective enterprise-class data erasure strategy. Some of the critical questions to ask and essential criteria to consider when developing data leak prevention and asset disposal policies include:

Regulations - what specific industry regulations or legislation (e.g. GLB, PCI, HIPPA, and FACTA) is our  organization subject to and what are their requirements for data and IT asset disposal?

Internal Policies - do we have written policies that reflect these requirements? Is our organization able to effectively enforce those policies?

Audit-Related Factors - are any of our existing policies and practices auditable?

Many corporate IT departments use simple overwriting functions available in many disk utilities. However, these tools may have significant drawbacks which could compromise an organization’s security. Highly effective enterprise-grade overwriting software must have the following functions and capabilities in order to ensure the integrity of the data sanitization process:

Security & Performance:

Compatibility - a compatibility with, or capability to run independent of, the OS loaded on the drive.

Independence - the capability to run independent of the type of hard drive being sanitized (e.g., Advance Technology Attachment (ATA)/Integrated Drive Electronics (IDE) or Small Computer System Interface (S CSI) type hard drives).

Overwriting - a capability to overwrite the entire hard disk drive independent of any Basic Input/Output System (BIOS) or firmware capacity limitation that the system may have.

Detection - a capability to detect, report and overwrite locked and hidden sectors such as HPA, DCO, remapped sectors as well as wiping hot spare hard drives in RAID configurations.

Reporting & Auditability:

Certification - a capability to provide the user with erasure certificate/report indicating that the overwriting procedure was completed properly.

Hardware Configuration - a capability to identify and report vital HW configuration information with computer serial numbers and asset tags.

License Harvesting - a capability to identify and report e.g., main SW serial keys for license harvesting.

Digital Signatures - a capability to ensure report’s integrity with digital signatures.

Integration of Data - a capability to provide means for easy report integration e.g. to asset management systems.

Finally, a qualified service provider should have the following attributes:

  • They must be insured (a minimum of USD 1 million).
  • They must be reputable and use proven software and operational techniques.
  • They must have certified engineers for onsite and support.
  • They must be able to provide certificates that include serial numbers.
  • They must be able to provide erasure reports to verify each disk that has been erased.
  • They must provide alternatives for both software based erasure and data destruction with an ability to combine solutions to keep operating costs low.
  • They must be able to provide references.