QUESTION & ANSWER

Data wiping -- weighing the options

By Editorial staff 17 Jan 2008 | SearchFinancialSecurity.com

Digg This!     StumbleUpon     Del.icio.us

We are currently using a well known "wipe" utility, but it is taking eight hours to make one pass. Typical security has called for a minimum of three and up to seven passes to "ensure" that everything is completely gone. Is there a secure wipe utility that can help us safeguard our data in less than eight hours?

Michael Cobb: Performing a wipe is a time-consuming process and is exacerbated by the fact that relative to their capacity modern hard drives are slow. Most wipe tools reach the disk's physical limits because the CPU, memory and IDE, SCSI and SATA drives. If your wipe times don't improve, it may be because DBAN doesn't have a specific driver for your motherboard chipset, however you can contact them if this is the case.

Also review the number of passes that you really require to safeguard your data. If you need to guarantee that your data is wiped, then a wipe done to the U.S. Department of Defense's DoD 5220.22-M (8-306. /E) standard will over-wipe all addressable hard drive locations with a character, its complement and a random character followed by verification. This process is completed three times and prevents data from being recovered by commercially available processes. DoD 5220.22-M (8-306. /E, C & E) is a seven-pass wipe and is only required for the most sensitive of information. However, in the fall of 2004, the U.S. National Security Agency (NSA Advisory LAA-006-2004) found that a single overwrite using DoD 5220.22-M compliant software is sufficient to render electronic files unrecoverable.

Unfortunately software disk-wiping cannot sanitize disconnected, forgotten internal hard drives, or hard drives that have physically failed. Therefore, if you don't need your drives again consider destroying them by degaussing, melting, incineration, crushing or shredding. Also know that with both methods, software-wiping or physical destruction, you'll need to implement policies and procedures that govern hard drive disposal. You must also train employees to ensure that you have taken "reasonable measures" to safeguard your data. The FTC's FACTA rule on the proper storage and disposal of certain consumer information requires any business that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose, to properly dispose of such information or compilation. Although physically destroying disks is more costly than wiping them, the potential costs associated with compromised data may make it the best option.

Tags: FACTA law requirements,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT FACTA law requirements FTC announces fourth Red Flags Rule extension Identity Theft Assistance Center marks five years of helping victims Red Flags Rule and preparing for new regulations Federal Trade Commission announces third Red Flags Rule extension Regulatory reform will require much work ahead Red Flags Rule compliance FTC extends Red Flags Rule deadline Red Flag Rules compliance demands a risk-based approach Red Flags rule: Unclear guidance biggest challenge Financial institutions prepare for Red Flag deadline

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary FCRA  (SearchFinancialSecurity.com) Red Flags Rule (RFR)  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary