The NIST 800-88 r1 Explained: Your Data Security Compass

In the vast ocean of data security, having a reliable compass is crucial. For organizations and individuals alike, the NIST Special Publication 800-88 (often referred to as NIST 800-88 r1 and titled “Guidelines for Media Sanitization”) serves as a guide to data destruction.

What is The NIST 800-88 r1 Standard?

The NIST 800-88 r1 is a publication that provides guidance on data destruction when media will be reused or leaving your company’s control. It also helps to make informed decisions about data disposal, sanitization, and data controls during the life cycle of an asset. Guidance is based on the categorization of data.

How does the NIST 800-88 r1 categorize data?

The NIST 800-88 r1 categorizes data into three security tiers: low, moderate, and high. These tiers work in conjunction with security objectives found in the Federal Information Processing Standard (FIPS) 199 and specifically the impact level a data nonconformity would have on those security objectives.

What are the security objectives outlined in the Federal Information Processing Standard (FIPS) 199?

The Federal Information Processing Standard (FIPS) 199 outlines the following security objectives:

  • Confidentiality: Ensuring only authorized access and disclosure of information.

  • Integrity: Ensuring data authenticity and preventing improper modification or destruction.

  • Availability: Ensuring data access and use is timely and reliable.

What are the impact levels outlined in the Federal Information Processing Standard (FIPS) 199?

The Federal Information Processing Standard (FIPS) 199 outlines the following impact levels

  • Low – Loss of control of a security objective would have a limited adverse effect on operations, assets, or individuals.

  • Moderate: Loss of control of a security objective could have a serious adverse effect on operations, assets or individuals.

  • High: Loss of control of a security objective could have a severe or catastrophic adverse effect on operations, assets, or individuals.

Once an impact level has been assigned to each security, the data categorization is based on the most severe impact level identified.

How do you decide on a data destruction process?

Data destruction should be based on three factors: the security categorization of the data, is reuse of the media permissible and if the media leaving your company’s control.

If reuse of the media is not permitted, physical destruction is always required. If reuse of the media is permitted, use the flow chart provided below:

Navigating Data Destruction: Beyond the NIST Standard

While the NIST standard is there to help provide guidance on industry best practices, remember there are other factors to consider when choosing the right data destruction method. This includes not only regulatory requirements but also costs and sustainability.

The next time you’re pondering over how to handle obsolete data, remember it may not be as straightforward as it seems. But following internal policies along industry best practices, you can navigate the data destruction process with confidence and clarity.