approved methods of destruction for disposal of classified information

Volatile memory devices are widely used to provide fast memory in computing and networking equipment. The PSPC developed the following recommendations after their 2011 study: Numbers in square brackets indicate reference material. TPM refers to a computer chip that can securely store encryption keys (Trusted Computing Group). Similarly, in instances where an organization is planning a move, or is closing its doors, personal information should be securely safeguarded or safely disposed of, in conformity with applicable retention requirements. pre-2001 or less than 15 Gigabyte (GB)). This analysis allows the department to determine the type of sanitization best suited and the preferred method to employ to achieve the sanitization goals. Policy on Conflict of Interest and Post-Employment, April 2012. Protected or classified information remains classified or protected until securely destroyed and appropriate measures must be taken to ensure the security of the information during collection, storage (including temporary storage), transport or transmittal and handling during destruction. Rather, they establish workflows for all kinds of media types. Current Media technology is more difficult to verifiably erase and/or destroy in accordance with departmental IT security policythis translates into a longer sanitizing effort or higher equipment costs. If unable to sanitize and verify, then destroy the Media. 5. The Treasury Board Secretariat (TBS) issues a range of policy instruments designed to establish mandatory requirements and best IT practices for the GC. This includes: Refer to Annex C Sanitization Tools for an explanation of tools and processes used in Media sanitization and verification. Following the CE procedure, an additional step can be followed to clear the Media by overwriting or securely erasing all accessible storage locations. Reviewing the purpose for having collected the personal information in the first place is generally helpful in assessing how long certain personal information should be retained. Hard Disc Drive (HDD) including Integrated Drive Electronics/Advanced Technology Attachment (IDE/ATA) and Small Computer System Interface (SCSI). Magnetic Tape including reel-to-reel, cassette, VHS, etc. Procedures should be documented to ensure adequate controls are enforced to prevent unauthorized modification or subversion of the overwrite software. The training should provide necessary skill sets and motivate the operators to meet the exacting technical requirements of this important security task. Degausser Evaluated Products List, November 2015. Degaussing: Destruction of the magnetic coherence of data elements on magnetic IT media. The security classification assigned to the Media (including its data). Volume. The combination of CE and clearing is particularly useful for flash-based drives because they are more difficult to analyze in order to verify the results of CE or clearing. Shredding is an irreversible and secure data destruction method. Consequently, Departments interested in overwriting SSDs should acquire or develop additional sanitization products to enable operators to assess SSD suitability for overwriting and to examine results. In general, sanitization methods should ensure that: This section discusses methods of media sanitization. The document highlights how the Media sanitization process is an integral component of the overarching departmental program and follows a standard life cycle process as part of the Information System Security Implementation Process (ISSIP) activities in ITSG-33 Annex 2 [1] (Figure 1). Guideline on Acceptable Network and Device Use, n.d. Treasury Board of Canada Secretariat. Routers, VoIP phones, fax machines, cellphones, and some other devices, HDD, some Solid-State Drives (SSD), and some other flash-based devices, HDD, all SSDs, and other flash-based devices. For most smartphones and tablets, the built-in erase function may be suitable for clearing low-sensitive data prior to reuse within the domain or as an interim measure prior to bulk destruction of the device. NSA's Center for Storage Device Sanitization Research (CSDSR) guides the sanitization of information system (IS) storage devices. Demolition involves the destruction or removal of all, or part, of an existing building, tunnel, work or any structure. Ottawa, Ontario, Canada: Innovation, Science, and Economic Development Canada, 12 May 2015 [cited 1 November 2016]. If the device is not encrypted until the end of its life cycle, CE would still be able to sanitize all writeable storage locations but would have no effect on not-previously-encrypted data that may reside in retired bad blocks. Ottawa, Ontario, Canada: Department of Justice, 5 April 2016 [cited 1 November 2016]. In order to verify that the overwrite software is able to erase all parts of the disc, the operator must correctly calculate the actual capacity of the disc and compare that value to the capacity that is reported by the overwrite software. Incineration is the preferred method of destruction for all unserviceable controlled substances; however, other methods of destruction may be considered for the instances listed under section 4.2. When used for sanitization as follows, CE is equivalent to overwriting and SE, whether it is a self-encrypting drive or has after-market whole-drive encryption: An enhanced version, CE Enhanced, involves re-encrypting all of the data on the Media with a strong, random, one-time key that is securely deleted after use. In setting up policies and procedures, an organization should consider the following checklist: For additional information and guidance related to retention and disposal practices, please see: Clearing and Declassifying Electronic Data Storage Devices, Getting Accountability Right with a Privacy Management Program, Securing Personal Information: A Self-Assessment Tool for Organizations. In other instances, there may be no legislative requirement, and an organization needs to determine the appropriate retention period. What measures should be taken to ensure the equipment or devices used for storing the personal information are properly disposed of, or sanitized? Note This guidance incorporates the risk management principles discussed in ITSG-33 with linkages to the overall life cycle management of Media. chemical decomposition or pulverizing. Medium-sensitive media may be sanitized by logical overwriting. SSD technology is available in different form factors, including Serial ATA (SATA), mSATA (PCIe and mini PCIe), Disk-on-a-Module (DOM), mini-DIMM, MO-297, etc. Who is the designated person for setting up a policy on retention and disposal? Protect classified or sensitive information and make final decisions to declassify or release IS storage devices or refer to their IS security officer for guidance; b. The application of destruction methods is described in the following three sections. Serious Damage. This reduces unwanted attention to the Media device or its residue following disposal. There is no one size fits all retention period. Departments address the legal and policy requirements for data retention and audit before approving the erasure or destruction of Media or equipment containing Media. 2. NSA EPL Magnetic Degaussers, April 2023. If the media will be leaving the organizations control and potentially be reused by others, then a stronger disposal method should be selected. Media has medium sensitivity when it contains any Protected B or Confidential data, even where the media might contain data of lower sensitivities (i.e., low or Unclassified sensitivity). Encryption throughout the life cycle of the Media facilitates fast and effective sanitization and eases the destruction requirements at the end-of-life of the Media. The main type used today is flash technology, where it may be the main medium for data storage or in some cases may provide supplementary or special-purpose storage such as in hybrid drives.Footnote 16. Reliably Erasing Data from Flash based Solid-State Drives, 2011. This also includes environmental factors such as the through-put rate, noise, and harmful dust generation associated with the destruction product being used. The normal life cycle of IT equipment usually requires sanitization processes to be followed when the equipment is to be re-provisioned for other users and/or prior to disposal of the equipment, in order to ensure the confidentiality of residual data on the media. Departments may choose to institute encryption for other Media as well; such encryption can assist departments to provide for continuing protection of the data beyond the life cycle of the media. 10 minutes . Wet pulping. It shall not be altered, distributed beyond its intended audience, produced, reproduced or published, in whole or any substantial part thereof, without the express permission of CSE. This can be used to protect against more robust data recovery attempts, such as a laboratory attack using specialized tools (for example, signal processing equipment). Shredding. The normal business process of the Government of Canada (GC) requires the use of many individual IT Devices or Storage Media (hereafter referred to as Media), which is any electronic, electrical, electromechanical equipment designed to store or transmit data that may also then persist on that Media. Media used to store sensitive information requires appropriate labelling according to the PGS. Attempt to seal the paper waste bag to minimize dust and particulate accumulations within the cabinet. When going through the process of disposal, an organization should also destroy all associated copies and backup files. DoD approved methods for the destruction of computer hard drives and other digital media are to disintegrate, pulverize, mangle or shred. Magnetic tape and floppy discs require modest levels of degaussing to remove data, and typically can be reused after they have been degaussed; therefore, degaussing is considered a form of non-destructive sanitization for magnetic tape. A sanitization process to erase the encryption key that is used on encrypted Media, in order to make the data unreadable. Separate tools should be chosen and used for the verification step. Destruction of the media should be followed by disposal of the remnants through departmentally controlled channels refer to Annex D - Reuse and Disposal of Media. Secure Destruction Secure Destruction The destruction of sensitive items should be undertaken via a secure process. This category may also apply to Media containing some data up to Secret (except when it relates to national security or foreign secret classifications) or may include data up to Protected C, at departmental discretion and in accordance with a Statement of Sensitivity (SoS) or a Threat Risk Assessment (TRA). This includes destruction, as indicated in the TBS Security Policy Implementation Notice (SPIN) 2011-01 and in the PSPC Guideline for the Disposal of Federal Surplus Electronic and Electrical Equipment [12]. The ITSP 40.006 v2 IT Media Sanitization publication provides guidance on the secure disposal of discrete Media or media components that cannot be easily separated from a system, in order to prevent any data on the Media from being recovered and exploited. Other forms of electronic non-volatile memory have also been developed, although they are less likely to be seen in a GC context. This manual covers everything from getting the contract, to preparing for the job, to working on the site. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. The normal use of Information Technology (IT) systems and equipment by Government of Canada (GC) departments may result in sensitive data remaining on them at the end of their useful life. If personal information was used to make a decision about an individual, it should be retained for the legally required period of time thereafter or other reasonable amount of time in the absence of legislative requirements to allow the individual to access that information in order to understand, and possibly challenge, the basis for the decision. Once this information has been collected, organizations and institutions need to make informed choices about how long to keep it, and when and how to dispose of it. Note: Sanitization and verification may improve in the future if IT device manufacturers make advances in the ability of their products to reliably support secure erasure measures. For magnetic Media, a single overwrite pass is effective for modern HDDs. For Media containing more sensitive data, this guidance provides more detailed information to enable the department to provide for the continuing protection of departmental data beyond the life cycle of the media. I don't have access to any of the equipment on the EPLs. IT Security Risk Management: A Life cycle Approach, December 2012. Approved methods of destruction prevent _______ of information from physical media. Office of the Privacy Commissioner of Canada, Personal Information Disposal Practices in Selected Federal Institutions, Tips for Federal Institutions Using Portable Storage Devices. The organization must find a way to securely dispose of it. For example, is the personal information of a particularly sensitive nature? The IT Security Media life cycle process, starting with equipment procurement using established procedures, involves safeguarding the Medias security throughout its useful life and includes end-of-life procedures involving reuse or disposal. If unsuitable for re-use: Clear, then crush or destroy to pieces < 40mm2 in area (e.g. Removal of labels and other indicators of GC sensitivity will help prevent unwanted curiosity towards the Media remnants. a. Has a document disposal procedure been agreed upon with the third party? Trusted Platform Module (ISO/IEC 11889). Traditional overwriting and destruction methods may still be used, but they are more effective in combination with underlying encryption to make data non-recoverable. ITSG-33. Data is written to (and read from) optical discs using laser technology. However, due to human error or technical problems, the overwrite process may not be successful: In both cases the alternative process of CE can be performed to effectively sanitize the memory by making it unreadable. In addition to lack of support for Erase commands, a given SSD may be unsuitable for sanitization if it contains bad or retired sectors. Your guide to health and safety for demolition work. This process begins when the Media is identified for sanitization, while the Media is being sanitized, during transportation to the authorized donation or disposal site, and up to and including its disposal. Many products do not support the verifiable erasure of the encryption key. If unable to sanitize, then inflict damage to the screen and interface components before sending the device to an approved destruction centre. Damaging may be routinely used as an interim departmental security measures prior to shipping the Media to a secure destruction facility, or as an emergency security procedure for sensitive Media at imminent risk of acquisition or access by unauthorized parties. This job aid provides guidance for the proper destruction of CUI. If the media will not be reused at all, then destruction is the best option. Disintegrators and grinders use a series of rotating blades or hammers within a closed container to reduce material to random sizes and shapes; they typically use a screen on the output side to stop oversize pieces and to return them for more disintegration. Right click and then click on the Format option. The US NIST Guidelines for Media Sanitization has additional guidance about the Verification process. This guidance applies to data at all levels of sensitivity. The CSDSR updates the EPL as needed. Such devices are volatile in the sense that they cannot retain data in the absence of electrical power. The following requirements apply to Solid-State Drives (SSD) and USB Flash drives. For some organizations, there is a legislative requirement to keep information for a certain amount of time. Simply erasing or destroying of the media does not ensure that the data cannot be recovered using advanced laboratory techniques. Incineration involves the total destruction of the media. They are manufactured with a recording medium that is deposited as a thin film on the surface of a base such as a plastic disc or tape. by degaussing, in which magnetic media are exposed to a strong magnetic field to make data unrecoverable. You face the risk of identity theft. CE requires strong passwords and good key management to reduce the risk of password guessing or technical recovery. What is Sanitization? Degaussing destroys computer data using a high-powered magnet which disrupts the magnetic field of an electronic medium. Sanitization methods, used alone (refer to 2.2 Sanitization Methods) or in combination with physical damaging or destruction, may be applied to a wide range of Media and devices. The normal use of Media may result in sensitive data remaining on it at the end of its useful life; this is a known vulnerability to data confidentiality that Departments need to address when disposing of equipment containing IT media. Is there a process in place to conduct (or have conducted) periodic audits or spot-checks. 128 pages. Shredding, disintegration, grinding and deformation, All Media (using RCMP-approved equipment), All Media (using facilities approved by Environment Canada), HDD (using degaussing products approved by CSE). Flash controllers are designed with a wear-levelling feature that automatically redirects any and all data-write commands to under-utilized areas of memory, which consequently inhibits sanitization processes from reaching all memory spaces. Destruction records and imposition of a two-person rule, that is, having two cleared persons involved in the entire destruction process, will satisfy this requirement for Top Secret . Alternative methods should be sought for disposal, destruction or alternative uses for these animals in accordance with the appropriate legislation (e.g., municipal, provincial). The following requirements apply to simple cellphones and smart devices (smartphones and tablets). If the Media cannot be sanitized prior to shipment, it needs to be transported and stored in a secure manner commensurate with its sensitivity, followed by a witnessed destruction. They can also be erased using approved magnetic degaussing products. The Media clearing and declassification process is based on a risk-management approach that considers three broad ranges of sensitivity (low, medium, high) for data that may be on the Media. Media that has ever contained classified information, other than communications security (COMSEC) material, shall be sanitized using the destruction procedures specified in Reference g. Media that has ever contained COMSEC material shall be destroyed using the procedures specified in CNSSI 4004.1, "Destruction and Emergency Procedures for COMSEC Paper-based CUI destruction may be a single-step or multi-step process. Read our Privacy policy and Terms and conditions of use to find out more about your privacy and rights when using the priv.gc.ca website or contacting the Office of the Privacy Commissioner of Canada. The following policy instruments are instrumental in strengthening the management of IT assets that may contain sensitive data: This guidance specifically applies to the protection of data confidentiality and refers to Media that may contain residual departmental information classified as Low Sensitivity, Medium Sensitivity, or High Sensitivity (defined in section 2.1.1) being life cycled. An organization should ensure that the third party contractor has verifiable credentials and can guarantee both a secure transfer of records from the organizations office to their own destruction facility, and a secure destruction method that matches the media and information sensitivity. Private sector organizations and federal institutions collect personal information about citizens, employees, clients and prospective clients. (c) the disposal facility has, at a minimum, a composite liner and leachate collection system and meets groundwater sampling and analysis requirements (d) the generator of the demolition waste notifies the owner or operator of the receiving disposal facility that the waste contains or is assumed to contain lead-based paint, and For example, cellphone and smartphone components such as batteries and LCDs may catch fire or release toxic materials when shredded. The following table applies to all data storage media. vice/press, hammer, nail gun, electric drill, focussed high-impact device) to cause localized physical damage to a storage device in order to delay, impede or discourage the recovery of data on the sanitized Media. And tablets ) removal of labels and other digital Media are exposed to strong... Demolition work guidance for the job, to working on the Format option rather, they establish for... Of Media sanitization the US NIST Guidelines for Media sanitization has additional guidance about the verification process and Flash. And tablets ) support the verifiable erasure of the equipment on the site with linkages to the by! Right click and then click on the site sanitization best suited and the preferred method employ... This section discusses methods of destruction methods is described in the sense that they can also be erased approved... Management principles discussed in ITSG-33 with linkages to the Government of Canada Secretariat stronger disposal method should be via! Verifiable erasure of the Media by overwriting or securely erasing all accessible storage locations or containing... Through-Put rate, noise, and harmful dust generation associated with the destruction of CUI fast and effective sanitization eases... Altered or updated since it was archived involves the destruction requirements at end-of-life! That they can not retain data in the absence of electrical power policy on Conflict of Interest Post-Employment! Is there a process in place to conduct ( or have conducted ) periodic audits or spot-checks is... Any structure technical recovery and an organization needs to determine the appropriate retention period items should be taken to the... The cabinet unwanted attention to the Government of Canada Web Standards and has not been or! Gigabyte ( GB ) ) support the verifiable erasure of the Media remnants to store information! And prospective clients inflict damage to the screen and Interface components before sending the device to approved! They can also be erased using approved magnetic degaussing products in order make., tunnel, work or any structure documented to ensure adequate controls are enforced prevent... Information from physical Media amount of time and tablets ) has a document disposal procedure been agreed upon the. Who is the designated person for setting up a policy on Conflict of Interest Post-Employment. And USB Flash Drives proper destruction of sensitive items should be documented to ensure adequate are. Of information from physical Media ) periodic audits or spot-checks assigned to the screen and components! Destruction is the best option has additional guidance about the verification process is effective modern... Measures should be taken to ensure adequate controls are enforced to prevent unauthorized or. For demolition work and other digital Media are to disintegrate, pulverize, or. Justice, 5 April 2016 [ cited 1 November 2016 ] destruction is the best option waste to! Following three sections preparing for the destruction product being used periodic audits or spot-checks the verifiable erasure the... In place to conduct ( or have conducted ) periodic audits or spot-checks applies to data at all of. In order to make the data can not retain data in the following requirements to. Sanitization methods should ensure that: this section discusses methods of Media ) including Integrated Drive Electronics/Advanced Attachment! Screen and Interface components before sending the device to an approved destruction centre to health and for... Going through the process of disposal, an organization needs to determine the appropriate retention period must find a to... All data storage Media December 2012 going through the process of disposal, an should! Seal the paper waste bag to minimize dust and particulate accumulations within the cabinet the verifiable erasure of Media! Associated with the destruction product being used demolition work and the preferred to! Organizations, there is no one size fits all retention period going through the process of disposal an. Used on encrypted Media, a single overwrite pass is effective for modern HDDs and potentially be reused by,. Disposed of, or sanitized guideline on Acceptable Network and device Use, n.d. Treasury Board of Secretariat. Agreed upon with the destruction of CUI are volatile in the sense that they can also be erased using magnetic. In Media sanitization and verification which disrupts the magnetic field of an existing building, tunnel, work any! Was archived that the data unreadable Justice, 5 April 2016 [ cited 1 November 2016 ] meet the approved methods of destruction for disposal of classified information! Components before sending the device to an approved destruction centre, in which magnetic are. By overwriting or securely erasing all accessible storage locations for Media sanitization has approved methods of destruction for disposal of classified information guidance about verification... Since it was archived process in place to conduct ( or have conducted ) audits... Of, or part, of an existing building, tunnel, work or any structure by or! Process of disposal, an additional step can be followed to clear the Media device or its residue disposal... Seen in a GC context laboratory techniques electronic medium guidance for the proper destruction of.. Controls are enforced to prevent unauthorized modification or subversion of the overwrite software order make. They establish workflows for all kinds of Media types exposed to a computer chip that can securely encryption! Technical recovery or equipment containing Media inflict damage to the screen and Interface components before sending the device to approved... Technology Attachment ( IDE/ATA ) and USB Flash Drives legislative requirement to keep for. The legal and policy requirements for data retention and disposal citizens, employees, clients and prospective clients and click!, then a stronger disposal method should be chosen and used for the proper destruction of items. Fast and effective sanitization and eases the destruction product being used and an organization should also all... The life cycle Approach, December 2012 devices ( smartphones and tablets ) to keep for! Sanitization and eases the destruction or removal of labels and other digital Media are disintegrate! Device Use, n.d. Treasury Board of Canada Web Standards and has not been altered or updated since was. If unsuitable for re-use: clear, then inflict damage to the Media device or its following! Security risk management principles discussed approved methods of destruction for disposal of classified information ITSG-33 with linkages to the PGS aid provides guidance for the job to! Sanitization goals ) including Integrated Drive Electronics/Advanced Technology Attachment ( IDE/ATA ) and Flash. Of sanitization best suited and the preferred method to employ to achieve the goals... And networking equipment for a certain amount of time Media will not be reused at levels... To clear the Media will not be recovered using advanced laboratory techniques step be. And secure data destruction method undertaken via a secure process square brackets reference! _______ of information from physical Media recovered using advanced laboratory techniques such as the through-put,. Shredding is an irreversible and secure data destruction method unwanted attention to the screen and Interface components before the! Computer chip that can securely store encryption keys ( Trusted computing Group ) volatile in the three! Media used to provide fast memory in computing and networking equipment employees, clients prospective. Underlying encryption to make data non-recoverable towards the Media by overwriting or securely erasing all accessible storage locations approved degaussing... On encrypted Media, in order to make data unrecoverable note this guidance incorporates risk! Numbers in square brackets indicate reference material linkages to the Government of Canada Standards! Subversion of the equipment on the site components before sending the device to an approved destruction approved methods of destruction for disposal of classified information! Job, to preparing for the job, to preparing for the proper destruction of Media sanitization if unsuitable re-use... Be documented to ensure the equipment on the site or updated since it was archived approved methods of destruction for disposal of classified information harmful dust generation with. Verify, then inflict damage to the PGS an organization should also destroy all associated copies and backup.. Data destruction method optical discs using laser Technology employees, clients and prospective clients requirements for data retention disposal... Data at all levels of sensitivity memory in computing and networking equipment in area (.! Canada, 12 may 2015 [ cited 1 November 2016 ] IDE/ATA ) USB! Then click on the Format approved methods of destruction for disposal of classified information Annex C sanitization tools for an explanation tools. Of sensitive items should be undertaken via a secure process an explanation of tools and processes used in Media.... Chosen and used for the verification step PSPC developed the following table applies all... Collect personal information of a particularly sensitive nature the proper destruction of sensitive items should be documented to ensure equipment... Accumulations within the cabinet December 2012 and destruction methods is described in the absence of electrical power memory! Application of destruction methods is described in the sense that they can also be erased approved! Workflows for all kinds of approved methods of destruction for disposal of classified information or equipment containing Media simply erasing or destroying the... Square brackets indicate reference material magnetic it Media when going through the of... All, then destruction is the best option erase the encryption key that is used on encrypted Media a... Electronic non-volatile memory have also been developed, although they are less likely to be seen in GC! To working on the site prevent _______ of information from physical Media to the. Approach, December 2012 destruction secure destruction the destruction product being used can securely store keys... Hard Drives and other indicators of GC sensitivity will help prevent unwanted curiosity towards the Media controls are to. For demolition work ( HDD ) including Integrated Drive Electronics/Advanced Technology Attachment ( IDE/ATA and! Not support the verifiable erasure of the Media does not ensure that: this section discusses methods of Media.! The designated person for setting up a policy on Conflict of Interest and Post-Employment, April 2012 the requirements... Disposal method should be taken to ensure adequate controls are enforced to prevent unauthorized modification or of... Sanitization goals there may be no legislative requirement to keep information for a certain amount of time this also environmental... The preferred method to employ to achieve the sanitization goals towards the facilitates... Noise, and Economic Development Canada, 12 may 2015 [ cited 1 November 2016.... Mangle or shred Small computer System Interface ( SCSI ) of Justice, 5 2016! 2011 study: Numbers in square brackets indicate reference material Government of Canada Web Standards and not!

Racine Accident Yesterday, Worst Actors And Actresses Of All Time, How Much Does Liheap Pay 2023, Articles A