Reasons to Sanitise

Is it time to consider purchasing some new PC hardware? What about the old ones? Can you sell them on to recoup some of the cost of the new ones? Oh but what about the data (client, employee, corporate, sensitive, patient, prisoner, classified, etc)? Can you just Delete and then Empty the Recycle Bin…?

No. You may have seen this (and others like it):

NHS Trust fined £325,000 following data breach affecting thousands of patients and staff 1 June 2012” for “the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff… on hard drives sold on an Internet auction site…”.

Which leads on to news like this:

Information Commissioner Office Gets Some Teeth”, 29 October 2012 – “The UK Information Commissioner Office is starting to ramp up its efforts to ensure organisations are taking the Data Protection Act seriously. In 2012 alone the ICO has issued over eighteen organisations or individuals penalties; with an average fine of over £125,000 and total fines of over £2,200,000.”

Your information is a key asset and its proper use is fundamental to the manner in which you manage your business. Rules apply to Government departments and certain businesses, but the topic also applies to you as an individual. When you’ve seen the next generation shiny gadget you couldn’t possibly live without, what are you going to do with the old one; especially when you’ve been doing your online banking and social and business networking on it?

From a Government perspective, the public are entitled to expect that Government will protect their privacy and use and handle information professionally. The Cabinet Office’s directive to Government Departments and Agencies via the Security Policy Framework is that they must ensure that all media used for storing or processing protectively marked information must be disposed of or sanitised in accordance with specific Government standards.

Government Departments and Agencies should employ somebody to advise them of this and how best to protect the information they hold or process[1].

From a Private Sector perspective, if inclined to achieve ISO/IEC 27001:2005 Compliance or Certification, businesses are required to measure up to the following: “All items of equipment containing storage media shall be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal.” The detail here is the ‘checked’; it’s not just a matter of deleting and emptying the Recycle Bin, it’s having assurance that the data has actually been completely removed.

However, as we’re all (Public and Private Sectors) bound by the Data Protection Act (DPA) 1998, we all have an obligation to protect the information we process. Just as a reminder, the 7th DPA Principle states that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of Personal Data and against accidental loss…”. One of the Information Commissioner’s Office’s Top Tips is to: “Securely remove all personal information before disposing of old computers (by using technology or destroying the hard disk)”.

Well, when it comes to the deletion process, yes, emptying the Recycle Bin will hide deleted files, offering security by obscurity, and will prevent a data thief from recovering the data by normal means; however it will remain recorded on the drive until it is written over as unneeded data by another file(s) positioned with an overriding priority by the Operating System. However, you won’t know when it’s done this, and the majority of the time only portions of the data will be overwritten, leaving the remainder open to analysis by a data thief with cheap/free software able to conduct deleted file recovery.

As an alternative to this and to enable data “release to anywhere” [2] we advise the use of data sanitisation software, or degaussing and subsequent destruction of the memory components of your devices. Government departments, which dispose of media components regularly, may want to source their own software or equipment. Alternatively either of these options can be contracted to an external recognised company[3], who are able to clean or destroy your data memory components and provide you with a certificate (with CESG recognition) for having done so.

[1] If yours doesn’t, please call Regency IT Consulting on 01242 225699 to discuss the matter further.

[2] HMG Information Assurance Standard Number 5.

[3] Iron Mountain and Capita Secure Information Systems are examples.