It’s time your IT asset disposal program manager ditches a murky understanding of DoD data destruction(Department of Defense 5220.22-M) by adding a clearer understanding of the NIST 800-88 (National Institute of Standards and Technology 800-88 Guidelines for Media Sanitization).

The DoD data destruction standard does not provide the adequate specifics an organization or business will require in order to run a secure program in a real world operation. The DoD does provide broad guidelines that should be adhered to by any organization maintaining or disposing of sensitive data.

The NIST 800-88 Guidelines, however, provides a detailed roadmap for creating a data destruction program built on the principles of identifying risk, life cycle stage of media, selecting and implementing appropriate methods of destruction, verifying and overseeing success, and documenting procedures and work performed.

“We perform DoD data destruction” has been a mantra of the ITAD (IT asset disposal) industry for well over a decade. But when one pushes for more specifics from a vendor or program manager one is likely to find inconsistent interpretations of the standard from a belief that it exclusively refers to three pass binary wiping, seven pass binary wiping, to a misconception that only physical shredding and pulverization of media can achieve data security.

In reality the DoD data destruction method does have recommended standards for two step erasure of drives using a clear and binary pass overwriting. It also includes basic standards for the removal of physical identifiers, chain of custody documentation, and physical destruction of optical media. The DoD standard does not recommend any specific tools, software, machinery, or provide any types of certifications to vendors or products.

The NIST 800-88 provides a clear manual that guides IT professionals to select the appropriate tool by the life cycle, risk level, and type of media. For example the document points out that a degausser should never be used for solid state media. Since SSD media is not magnetic media the degausser would not destroy the data on the chip sets. This type of granular knowledge is a must have for every IT asset manager.

Here at ITAMG we help our clients understand the NIST 800-88 model and how to develop custom programs that address unique business, industry, and regulatory compliance requirements.  

For more information on appropriate methods and documentation of data destruction practices please review our short guide to NIST 800-88.

Since 1999 our primary business at IT Asset Management Group has been focused on developing and implementing the process, controls, and oversights necessary to run a compliant, secure, and economically viable IT asset disposition program.  We are now drawing upon our unique experience and capabilities to provide consulting, program management, and project management services for data destruction, environmental, asset management, and return management initiatives. 

ITAMG’s disposition programs are designed to bridge the gap and achieve the goals of various stakeholders including Finance, IT, Facilities, and Procurement departments.   

A broad approach to an asset disposal program is as follows:

• Develop and furnish the initial operational, financial and technical assessments relating to an asset disposition program.
• Recommend alternative operational processes and organizational solutions.
• Provide budgetary cost and income estimates for the alternative approaches
• Develop a Statement of Work for the program or project.
• Assist with evaluation, selection and contracting, including the execution of Service Level Agreements.
• Provide implementation and acceptance testing project management.
• Include on-going program support as defined by client. Including delivery management, SLA monitoring and documentation of the financial returns.
• Ensure Quality Control and Risk Management.

ITAMG’s asset disposal program management services are best suited for the Fortune 500, large government agencies, IT value added resellers, and other institutions with a significant IT hardware portfolio that requires the liquidation of at least one million dollars of surplus IT equipment in a single fiscal year. 

However, we do engage smaller mid-market clients to consult on and improve IT asset disposal and data destruction practices as well as to provide our direct IT asset recovery and hard drive shredding services.    

Government agencies, corporations, and various institutions are taking measures to improve IT asset management and disposition practices in order to mitigate risk of a data breach, achieve environmental initiatives, and ensure optimal financial performance. The following are some key pieces to building a secure and efficient IT disposal program.  

1. Implement and utilize an asset management and inventory system

An asset management program’s success will be driven by the inventory tools and processes in place to track assets from cradle to grave, or in other words from the time of an asset’s implementation until the asset is recycled or liquidated. The inventory management system should be utilized to document when an asset is disposed of, its final destination (vendor and asset status), and what administrator or manager signed off on the disposition.

Having robust asset management data that includes model numbers, serial numbers, and other attributes and specifications of equipment also allows an organization to bid out an asset disposal contract more effectively and for more competitive returns.    

2.Track and maintain documentation of disposition and data destruction of assets

Asset management disposition data should be reconciled with the data provided by a firm’s disposal vendor. These inventory reports, settlements, and certifications of destruction and proper handling should be maintained in accessible formats.

The most sophisticated asset disposal programs utilize integration with a disposal vendor’s asset management software in order to confirm and document the disposition of an asset.  In the case of a full integration an asset management team can mark an item as shipped or disposed of and track the receiving, processing, sale, or recycling of the asset.

3. Sign a formal agreement with an IT asset disposition vendor or managed service provider

Take the steps to put an agreement in place with an IT asset disposal provider that documents your firm’s due diligence, understanding, and expectations of the vendor and performance milestones of the disposition program.

A standard Master Service Agreement (MSA) should include the following:

• Data security and privacy policies (including process for disclosure of potential exposures)

• Commitment to environmental recycling controls and compliant waste management

• Insurance coverage

• Overview of service levels, process, financial obligations, reporting and billing standards

4. Develop a data destruction process driven by NIST 800-88 Guidelines for Media Sanitization

If you’re unfamiliar with NIST 800-88 you can learn more from this introduction blog entry.

Developing a data destruction program to the best practices outlined by NIST 800-88 will ensure end of life data security as well as develop a process to maintain audit ready documents that are necessary to validate a firm’s data privacy compliance.

A program following the NIST 800-88 method will identify risk, categorize media, select effective eradication methods, set quality assurances, record and certify destruction of assets, and place responsibility of the program’s success on senior managers.    

Every organization should be considering the risk of a data breach caused by improper data sanitization and set eradication methods and disposal processes according to data privacy laws and industry specific regulations (e.g. HIPAA for health and human services).

5. Create an accounting mechanism to keep liquidation returns in the IT budget

IT asset managers and acting directors are tasked to quantify value to executive management and IT operations. Efficient liquidation of assets can yield significant returns, and these financial recoveries should not go unnoticed.

IT asset managers should develop accounting mechanisms to track returns from the disposal program as well as to keep the funds in the IT budget. This can be achieved by using a credit system for future product purchases or services instead of receiving direct payments from a disposal vendor. The disposal provider can provide goods and services directly or partner with an OEM or VAR to do so.  

Learn More About IT Asset Disposal Best Practices:

Attackers are targeting easier to access confidential information housed on company hard drives that are improperly disposed of.  One must have data destruction policies and procedures in place to ensure a data breach doesn’t occur. In the Guidelines for Media Sanitization (NIST Special Publication 800-88 Rev 1) best practices from the National Institute of Standards and Technology are clearly provided.

In this document three forms of compliant sanitization are defined: clear, purge, and destroy.

• Clear: Overwriting storage space with non-sensitive data is one way to sanitize media. This method is not effective for media that is damaged or not rewriteable. The media type and size may also influence whether overwriting is a suitable sanitization method [SP 800-36].
• Purge: Acceptable forms of purging include degaussing and executing the firmware Secure Erase command (for ATA drives only).  In degaussing a magnetic field is used to sanitize media. Degaussing is effective when working with damaged media, purging media with exceptionally large storage capacities, or for purging diskettes [SP 800-36].
• Destroy:  Sanitization methods used to completely destroy media include Disintegration, Pulverization, Melting, and Incineration.  Destruction methods are typically outsourced to an organization capable of performing these tasks safely and effectively.  Pulverization is commonly referred to as Hard Drive Shredding in the IT asset disposal industry.  

 The NIST 800-88 document provides the below Media Sanitization Decision Matrix containing media-specific lists regarding the options of clear, purge, and destroy.  

Media that contains proprietary, confidential material, or is otherwise deemed to be a high risk must be given priority and the strictest controls and destruction methods should be employed.

Learn More And Download the 5 Most Important Tips from NIST 800-88

ITAMG handles media sanitization in accordance with the National Institute of Standards & Technology (NIST) Special Publication Series 800-88. We can work with you to implement the most appropriate methods of disposal for your media and establish your secure and audit ready data destruction programs.