4.2 Explain the security implications of proper hardware, software, and data asset management

• Role of asset management in organizations.

• Necessity for data destruction in certain circumstances.

• Importance of ensuring security through compliance and resource management.

Data Retention and Destruction

• Organizations must destroy data post-retention period.

• Compliance with internal policies and external regulations is critical.

• Objectives of data destruction:

  • Security

  • Compliance

  • Optimization of storage resources

Importance of Secure Data Destruction

• Compliance with legal and regulatory bodies:

  • General Data Protection Regulation (GDPR)

  • Health Insurance Portability and Accountability Act (HIPAA)

• Obligation to delete or destroy data once it is no longer needed or upon request from the data subject.

• Periodic destruction of outdated data:

  • Maintains efficient storage utilization.

  • Reduces risk of data breaches.

Decommissioning of Storage Devices

• Critical steps to ensure data destruction before disposal or repurposing.

• Specific methods should align with the type of storage media being decommissioned:

  • Hard Disk Drives (HDDs):

  • Effective data wiping methods:

    • Overwriting data with zeros.

    • Multiple passes of various patterns to thwart data recovery attempts.

  • Solid-State Drives (SSDs):

  • Traditional overwriting methods are ineffective due to:

    • Wear leveling

    • Bad block management.

  • Recommended method: ATA Secure Erase

    • Command directs the drive’s firmware to sanitize all stored data, including inaccessible marked-as-bad memory cells.

Asset Disposal and Decommissioning Concepts

• Focus: Secure and compliant handling of data & storage devices at the end of their lifecycle.

Key Concepts:

1. Sanitization:

   • Definition: The process of removing sensitive information to prevent unauthorized access/data breaches.

   • Techniques:

     • Data wiping

     • Degaussing

     • Encryption

   • Importance in compliance with data protection regulations when repurposing/donating devices.

2. Destruction:

   • Definition: The physical or electronic elimination of information to render it inaccessible and irrecoverable.

   • Methods:

     • Physical destruction:

     • Shredding

     • Crushing

     • Incineration

     • Electronic destruction:

     • Overwriting data multiple times

     • Degaussing to eliminate magnetic fields.

   • Significance in ensuring data cannot be recovered or misused post-disposal.

3. Certification:

   • Definition: Documentation and verification of the sanitization/destruction process.

   • Involvement of third-party providers:

     • Obtain a certificate of destruction/sanitization.

   • Benefits of certification:

     • Evidence of compliance with data protection regulations.

     • Reduces risk of legal liabilities.

Challenges in Certification

• Difficulty in certifying data destruction without third-party involvement.

• Offers impartial evaluation and assurance of proper procedures being followed.

Data Wiping Methods and Software

• Active KillDisk software is an example of data wiping technology.

• Understanding of HDD data deletion:

  • Data on magnetic-type HDDs is not fully erased; only marked as available for writing.

  • Standard tools (e.g., Windows format) remove file references but do not erase the data.

Overwriting Techniques for HDDs

• Standard method of sanitizing an HDD is overwriting.

• Types of Overwriting:

  • Zero Filling:

  • Basic method where each bit is set to zero.

  • Secure Method:

  • Overwrite with:

    • One pass of all zeros.

    • One pass of all ones.

    • One pass in a pseudorandom pattern.

• Historical context:

  • Some federal requirements stipulated a “three pass rule” per DoD manual.

  • Transition to NIST SP 800-88 for media sanitization guidelines.

• Time consideration: Overwriting can take considerable time based on the number of passes required.