Best Practices in Media Storage and Destruction

Tools and resources small banner

Most organizations collect, maintain and store massive amounts of sensitive and personal data. Understanding regulations surrounding this data is crucial to protecting it from unauthorized access. Follow best practices when storing data:

  • Classify the data so that you know what is sensitive and how to protect it.
  • Control access to the data so only those who need it will be able to manipulate it.
  • Follow policies and procedures for data destruction.
  • Familiarize yourself with the mapping of the data and how it flows throughout your organization.
  • Educate users in your organization about the importance of protecting data.

    Media sanitization is a process of permanently destroying data. Deleting and reformatting from a device will not prevent a miscreant from using readily available online tools to retrieve the information. Electronic data can be destroyed using a variety of methods:
  • Data wiping is a method of overwriting the data but this is a time consuming, clunky solution and not usually a practice used in businesses.
  • Degaussing is a process that uses a high-powered magnet. However, this destroys the hard drive itself and cannot be reused.
  • Physical destruction such as shredding or drilling into a hard drive can make access to the data permanently unavailable. Again, the equipment is not usable after this.

If you choose to hire a third party to destroy data for your organization you will want them to provide you with documentation that will show proof of the destruction. Sometimes this will be a certificate of sanitization.

Why does data destruction matter? Forgotten or ignored data can be a gold mine if it falls into the wrong hands. Consider that not only can private and personal data cause issues such as identity theft and financial gains for a cyber criminal but this could also result in financial and reputational damage for an institution. Organizations have a responsibility and duty to protect the information they collect. And when they no longer need that data, to follow through with proper disposal methods.

Resources:
Media Sanitization and Disposal Best Practices
NIST Special Publication 800-88, Rev. 1, “Guidelines for Media Sanitization”