Resources
This page aims to serve as a one-stop destination for a wealth of information on data security and destruction standards. In today’s digital age, safeguarding sensitive data has become a top priority for individuals and organizations. Here, you will find a curated collection of valuable resources, including articles, guides, and links, that cover a wide range of topics related to data security and data destruction.
NIST Compliance
NIST compliance refers to adherence to the guidelines set forth by the National Institute of Standards and Technology (NIST), a non-regulatory government agency dedicated to fostering innovation and enhancing economic competitiveness among U.S.-based organizations operating in the science and technology sector.
NIST SP 800-88, also known as the “Guidelines for Media Sanitization,” is a publication that provides recommendations and best practices for securely sanitizing and disposing of various types of media and data storage devices. The guidelines outline processes and techniques to ensure that sensitive information stored on media, such as hard drives, solid-state drives, optical media, and magnetic tapes, is effectively and irreversibly removed before disposal or reuse. The document offers organizations a framework to develop their media sanitization policies and procedures to protect against data breaches and unauthorized access to sensitive information.
“The information security concern regarding information disposal & media sanitization resides not in the media but in the recorded information. The issue of media disposal & sanitization is driven by the information placed intentionally or unintentionally on the media. If not handled properly, release of these media could lead to an occurrence of unauthorized disclosure.”
-NIST SP 800-88 Revision 1
DIN 66399
DIN 66399 refers to a German industrial standard that provides guidelines for the classification and destruction of information carriers. It was developed by the German Institute for Standardization (Deutsches Institut für Normung) and was first published in 2012.
The standard DIN 66399 defines different security levels and corresponding requirements for the destruction of information carriers. An information carrier can be any physical or digital medium that contains sensitive or classified information, such as paper documents, CDs, USB drives, hard drives, etc.
The standard classifies information carriers into three protection classes based on the level of protection required for the data they contain:
Class 1 (lowest level): This class includes information carriers with general data that doesn’t require high security measures. Examples include public documents, promotional materials, or non-sensitive internal information.
Class 2 (medium level): This class includes information carriers with confidential or sensitive data that should be protected against unauthorized access. It covers information like personal data, financial information, or legal documents.
Class 3 (highest level): This class includes information carriers with highly confidential or secret data that require the highest level of protection. It includes information like state secrets, classified documents, or highly sensitive corporate data.
Each protection class is further divided into several security levels, denoted by the symbols P-1 to P-7. The security levels specify the requirements for the destruction process, such as the particle size, shredding method, and additional security measures.
P-1 – 12mm Strips or maximum Particle surface area of 2,000 mm² – suitable for general documents such as advertising materials.
P-2 – 6mm Strips or maximum Particle surface area of 800 mm² – suitable for internal documents such as company communications, instructions, travel guidance, notices and forms.
P-3 – 2mm Strips or maximum Particle surface area of 320 mm² – suitable for sensitive and confidential data, as well as personal data such as company sales reports, tax documents and documents with private address data.
P-4 – Maximum Cross Cut Particle surface area 160mm² with a maximum strip width of 6mm = 6x25mm – suitable for sensitive and confidential data, as well as personal data such as payslips, personal data/files, contracts, medical reports and tax documents.
P-5 – Maximum Cross Cut Particle surface area 30mm² with a maximum strip width of 2mm = 2x15mm – suitable for data containing confidential information with fundamental importance for a person, company or institution, such as patents, construction documents, strategic papers, competitor analysis and process documentation.
P-6 – Maximum Cross Cut Particle surface area 10mm² with a maximum strip width of 1mm = 1x10mm – suitable for confidential documentation requiring extraordinary security precautions such as research and development documents, official areas.
P-7 – Maximum Cross Cut Particle surface area 5mm² with a maximum strip width of 1mm = 1x5mm – suitable for strictly confidential data with the highest security precautions such as secret service or military sectors.
NSA Guidelines for Data Destruction
The National Security Agency (NSA) has established a set of guidelines for data destruction, which are known as NSA/CSS Policy Manual 9-12. These guidelines provide specific requirements for the sanitization and destruction of digital data on various types of media, including hard drives, solid-state drives, and magnetic tapes.
The main objective of the NSA standards on data destruction is to prevent the recovery of information from digital media that are no longer needed or are being disposed of. The manual provides detailed instructions on how to sanitize or destroy digital media to ensure that sensitive and classified information is not compromised.
The NSA/CSS Policy Manual 9-12 outlines three levels of data destruction depending on the level of confidentiality of the information stored on the media. Level one is the least secure and involves clearing data by overwriting it with new information. Level two is more rigorous and involves degaussing or physical destruction of the media. Level three is the most secure and involves disintegrating the media to a particle size of 2mm or less.
Adherence to the NSA standards on data destruction can help organizations protect their sensitive data, maintain compliance with relevant regulations, and reduce the risk of data breaches and other security incidents.
NSA Guidelines for Ransomware
To guide network defenders in protecting against the rapidly evolving ransomware tactics of malicious cyber actors, the National Security Agency (NSA) and several partners have publicly released the “#StopRansomware Guide” Cybersecurity Information Sheet (CSI).
“Ransomware tactics have become more destructive and impactful,” Rob Joyce, NSA Director of Cybersecurity. “Malicious cyber actors are not only encrypting files and asking for ransom, they are also exfiltrating data and threatening victims to release it as a form of extortion. Most importantly, the speed of compromise and impact have increased dramatically, requiring even more effort on the part of defenders.”
Originally released in 2020 by the Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC), the guidance was updated to include additional best practices and recommendations based on operational insight from CISA, MS-ISAC, NSA, and the Federal Bureau of Investigation (FBI).
(BS) EN 15713
(BS) EN 15713 refers to the British Standard for “Secure Destruction of Confidential Material.” This standard provides guidelines and requirements for the secure destruction of sensitive and confidential information. It outlines best practices for the entire process of confidential material destruction, including collection, transportation, storage, and destruction techniques.
The BS EN 15713 standard focuses on ensuring that confidential information is properly handled and destroyed to prevent unauthorized access or data breaches. It specifies criteria for security measures, employee vetting, secure facilities, and auditability to maintain the integrity and confidentiality of the information throughout the destruction process.
Compliance with (BS) EN 15713 helps organizations demonstrate their commitment to maintaining the privacy and security of sensitive data. It provides a framework for organizations and service providers involved in the secure destruction of confidential material, ensuring that appropriate controls and processes are in place to minimize the risk of data compromise.
It’s important to note that the “BS” in (BS) EN 15713 stands for British Standard, indicating that it is a standard developed by the British Standards Institution (BSI) and specific to the United Kingdom.
