PROCEDURES FOR SAFEGUARDING SENSITIVE INFORMATION STORED ON
AUTOMATIC DATA PROCESSING EQUIPMENT DURING DISPOSAL
I. PURPOSE: . This section provides the authority,
responsibilities, procedures and controls required for removing sensitive
information that resides on automatic data processing equipment (ADPE)
storage media prior to its disposal. Inadvertent disclosure of sensitive
information can occur when the storage media for this information is
released for disposal without the permanent erasure of the sensitive
information. The residual physical representation of data on storage media
is known as data remanence. This Chapter provides the appropriate
procedures, safeguards, and actions to be taken to protect sensitive
information before the storage media containing the sensitive information
is released for disposal. The provisions of this section and governing
directive are applicable to all organizational elements within the SAO and
must be implemented at all SAO offices.
This document provides the authority, responsibilities, procedures and
controls required for removing sensitive information that resides on
automatic data processing equipment (ADPE) storage media prior to its
disposal. Inadvertent disclosure of sensitive information can occur when
the storage media for this information is released for disposal without
the permanent erasure of the sensitive information. The residual physical
representation of data on storage media is known as data remanence. This
document provides the appropriate procedures, safeguards, and actions to
be taken to protect sensitive information before the storage media
containing the sensitive information is released for disposal. The
provisions of this Chapter and governing directive are applicable to all
organizational elements within the SAO and must be implemented.
II. RESPONSIBILITIES
a. The CIO is responsible for developing and recommending policies and
controls for the selection and protection of sensitive information in the
Department.
b. Division Chiefs and all SAO staff are responsible for ensuring that
this policy is followed.
d. The Deputy CIO is responsible for monitoring, reviewing and
evaluating compliance with this automated information system (AIS)
security program directive.
III. PROCEDURES
a. This Chapter provides the procedures and methods to apply when ADPE
with permanent storage capabilities (retention of data occurs in storage,
on either removable or "non removable" media), including
magnetic, solid-state and optical storage media, is being released for
disposal. This Chapter only applies to the removal of sensitive
information from ADPE slated for disposal, not the disposal of the ADPE.
The disposal of ADPE must comply with the FIRMR Part 201-23, Disposition,
and the applicable SA policies. The term disposal, as used in this
Chapter, applies to actions where equipment is excessed, transferred,
discontinued from rental/lease, exchanged, or sold.
b. Mandatory Disposal Procedures. Procedures and standards governing
the disposal of sensitive information must be developed and implemented by
each facility director, manager or person accountable for the control of
ADPE that processes or stores sensitive data in SAO. Disposal procedures
for storage media that meet these criteria are mandatory and shall
include, as a minimum, the following methods, controls and practices:
- (1) Operating Procedures: Written operating procedures which
specify security requirements and standards for disposal of storage
devices that contain sensitive information shall be used. Procedures for
the removal or clearance of those media before release or reuse of the
equipment is permitted shall also be included in the procedures.
- (2) Trained Staff Assigned: Staff trained in data eradication
methods and procedures shall be used to irrevocably clear and remove
sensitive information from equipment and storage media scheduled for
disposal or release.
- (3) Method for Cleaning Storage Media:The method selected for
clearing/purging storage media must fit your situation, storage device
to be cleared, the sensitivity of the data, the acceptable level of data
remanence (how much data remains on the storage media) and the possible
or potential risk of data recovery after the equipment is released. The
principal methods for safeguarding sensitive information during the
disposal or repair of equipment include: overwriting; degaussing;
destruction of the storage media; removal of the storage media; or
declassification of the information.
- (4) Approved Software: Only software adhering to the SAO
standard shall be used for overwriting and removing of sensitive
information; overwrite software itself must be protected from
unauthorized modification or use. The SAO standard used for overwrite
software is found in the National Computer Security Center's
publication, A Guide to Understanding Data Remanence in Automated
Information Systems, NCSC-TG-025 Version-2.
- (5) Approved Demagnetizing Device or Demagnetizing Services:
Only manufacturer recommended degausser products that are listed for
your hardware or storage media shall be used. Contracting with the
appropriate vendor for this service may be an acceptable alternative to
the purchase of equipment to demagnetize storage media. An agreement for
demagnetizing services may exist or could be centrally developed. When
using contracted vendor services, specific measures, such as
non-disclosure agreements with the vendor, must be devised and
implemented to ensure that vendors or other personnel authorized to
access sensitive data preserve the confidentiality of that data during
the data clearance process.
- (6) Sensitive Data Protected during Maintenance and Repair:
Procedures shall be established by Department components to ensure that
authorized personnel, including non-SAO personnel, such as vendors and
contractors, preserve the confidentiality of sensitive data and that
unauthorized personnel do not access sensitive files during repair or
maintenance. These procedures shall be consistent with statutes and
existing policies which govern actions during maintenance and repair of
ADPE.
- (7) Equipment and Storage Devices Certified: ADPE will only
be stored on approved areas. Inventory control of all equipment will be
maintained. IR Staff will certify that the media has been properly
cleared of all information before it is excessed, transferred,
discontinued from rental/lease, exchanged, sold or otherwise released.
- (8) Information Removed from Storage Media Properly Retained or
Disposed of: Prior to disposal or release of the computer storage
media, all records maintained on the storage media shall be retained or
disposed of in accordance with the instructions in the approved records
control schedule. The responsible records control office shall be
contacted for guidance.
c. When maintenance or repair is required for ADP equipment with
storage media or the storage media alone, sensitive data residing on that
equipment must also be protected. Specification of procedures for the
protection of sensitive information when maintenance or repair is planned
is beyond the scope of this policy. Department components are expected to
establish procedures to preserve the confidentiality of sensitive data
under these circumstances consistent with any applicable statutes and
existing directives.
d. When disposal of storage media involves transfer between or within
SA facilities, these procedures are limited to instances where ADPE
storage media containing sensitive information is sent to a VA facility or
to a SA component within a SA facility where individuals with access do
not have a need to know. "Need to know" is the principle that a
Department official or employee may have access to sensitive information
in SA computer systems and storage media only when the official or
employee needs access to that information in order to perform an assigned
task or duty within the official assigned responsibilities of the
individual.
e. Security planning that includes mandatory disposal procedures will
help prevent the compromise of sensitive information contained in a
computer system or its parts after it is out of the control of the SAO.
Appendix A to this Handbook contains a list of steps for the removal of
sensitive information from a personal computer before it is released.
f. Requirements established in this handbook for safeguarding sensitive
information are in addition to requirements in other SAO directives that
govern the handling and disposition of FIP resources.
g. Sensitive information as used in this document does not include
computer software or computer programs that process sensitive information
or other SAO data.
REMOVAL OF SENSITIVE DATA-QUICK REFERENCE GUIDE
Prior to the release of a PC with sensitive data (as distinguished from
the software which processes the data) stored on the hard disk, one of the
following methods for removing or destroying that data must be applied.
Select from the following acceptable options the method your office will
use to accomplish this requirement:
1. If possible and permissible, remove the PC's hard disk (removable
drive).
2. If removal of the hard disk drive is not feasible, the following
procedures and techniques are recommended to remove or destroy sensitive
data on the PC's hard disk(s):
- a. Overwrite software. Overwrite software, which employs a computer
program to write a pattern of characters (usually 1's, 0's, or a
combination of both) onto the location of the storage media (hard disk)
where the sensitive data is located, may be used to obliterate data on
the PC. Overwriting using 1's and 0's should be performed at least twice
on hard disks used to store sensitive data. After using overwrite
software on a disk, the overwrite should be verified. This may be done
by attempting to recover the data on the overwritten disk by using any
one of several commercially available "data recovery utilities."
Overwrite software is commercially available in most local computer
retail stores and also appears on approved SA and GSA product lists.
- b. Degaussing. Degaussing is a method to magnetically erase data from
magnetic storage media, such as hard disks. Degaussing involves using an
alternating current (AC) to generate a magnetic field to demagnetize the
hard disk. Two types of degaussers are used: strong magnets and electric
degaussers. Degausser products and equipment are tested by the DOD,
approved by NSA, and then placed on NSA's Degausser Products List (DPL).
If this method of data destruction is selected, contact a security
specialist in the IR Security Office, in the Office of the DAS for IRM,
for specific information on degausser options.
- c. Destruction. Destruction of the media (hard disk) containing
sensitive information may involve incineration, application of an acid
solution, or processing at an approved metal destruction facility. When
possible, sensitive information should be removed from the disk before
it is destroyed. Most destruction methods or procedures involve
potentially hazardous conditions and should be done only by qualified
and approved personnel. Refer to NSA's NCSC-TG-025 Guide for specifics
on this method and its applicability.
- 3. Document that sensitive data has been cleared from the PC
being released.
REFERENCES:
a. Computer Security Considerations in Federal Procurements, National
Institute of Standards and Technology; Special Publication 800-4.
b. DOD Computer Security Center (NSA), A Guide To Understanding Data
Remanence in Automated Information Systems, NCSC-TG-025 Version 2,
September 1991.
c. DOD 5200.28 STD, "Trusted Computer System Evaluation Criteria,"
December 1985.
|