Statement of Process
PHYSICAL DESTRUCTION OF CONVENTIONAL COMPUTER HARD DRIVES
Zak follows the National Institute of Standards and Technology (NIST) Guidelines for Media Sanitization (NIST Special Publication 800-88) as well as Federal Information Processing Standards (FIPS 200), Minimum Security Requirements for Federal Information and Information Systemsfor comprehensive information on media sanitization options. Zak has a written and verifiable process for the physical destruction (not wiping or overwriting) of conventional computer hard drives. We also have written and verifiable processes for the following:
- That prior to the destruction event we provide clients with a written description of the process for the physical destruction of computer hard drives.
- That serial numbers of all hard drives or CPUs being destroyed for each client are recorded, unless the customer has signed an agreement opting out of this requirement. And that any opt out agreement must state that we are obligated to have the client sign the agreement if they choose to not have their serial numbers recorded.
- That the log of recorded serial numbers of hard drives destroyed is returned to the customer upon the completion of the service, unless the customer has opted out of this requirement.
- That a log and copies of opt out agreements are maintained during the entire course of Zak's length of service to the client, and for a period of no less than six months after the final event.
SANITIZATION OF CONVENTIONAL COMPUTER HARD DRIVES
Zak has a written and verifiable process for the sanitization of conventional computer hard drives, tthat includes the following:
- Acceptance, identification & recording (of serial numbers), and tagging of computer hard drives.
Disclosure of the following is also Zak's policy:
- Wiping Software Product used
- Recovery or verification Software used
- Quality control procedures, to include the following:
- A specific number or percentage of sanitized drives, as determined by Zak, is selected for quality control assessment on a routine basis.
- Instructions that in the event of a quality control assessment revealing recoverable data from a sanitized drive, all drives processed since the last successful quality control assessment will be reprocessed.
- Instructions that a log must be kept of all quality control assessments to include:
- The date of the check
- The quantity of drives checked
- The outcome (fail/pass)
- A description of corrective actions taken as the result of any failed quality control checks.
- Tagging/identification and separation/isolation of sanitized hard drives after processing
- The recordkeeping audit trail for the CPU throughout entire sanitization process
- Confirmation receipt or Certificate of Destruction reflecting serial numbers is provided to client indicating computer hard drives have been physically sanitized and/or destroyed.
The Sanitization process has a method of quality control in place to ensure all information has been removed from the sanitized hard drives. The quality control procedures are outlined in Zak's EMS/Safety Procedures Manual and the Sanitization Process Questionnaire.
All Physically destroyed media is disposed (sold, gifted, or recycled) in a responsible manner. Zak follows a zero landfill policy.
TRANSFER OF CUSTODY:
Zak's policy is to assure full security during the process of transport.
There are four basic options for media sanitization:
- Disposal: Discarding media with no further sanitization actions.
- Clearing: Removing data from media so that the data can not be retrieved through a robust keyboard attack. Simple deletion of files does not suffice as clearing. Example: overwriting.
- Purging: Removing data from media so that the data can not be retrieved through a laboratory attack. Example: degaussing.
- Destroying: Rendering the media unable to be reused as originally intended. Residual medium may need to be able to withstand a laboratory attack. Example: shredding.
There are a number of factors to consider when selecting a media sanitization method, such as:
- Type of media (i.e., optical, magnetic, or paper/film)
- Size of media
- Confidentiality and necessary security of the data on the media
- Cost of sanitization tools and staff, and available budget
- Availability of sanitization tools and staff
- Training and certification of staff
- Length of time available for sanitization.
While many of these factors may influence the decision to use, or not use, a particular media sanitization process, usually the most pressing factor is the required level of security and confidentiality.
If physical destruction of the media is necessary, there may still be options for environmentally preferable disposal of the remaining media. If media is rendered unusable by abrasive scraping, shredding, disintegrating or pulverizing, look for opportunities to recycle the resulting material. Some facilities may be able to separate, melt down, and resell the metals and plastics in destroyed media. Be aware that media rendered unusable through chemical destruction may not be able to be recycled and may require special disposal.