Environmental Symposium Data Security And Destruction Issues A.K.A. - Disk Sanitization Mike Caltabiano Environmental Protection Agency, Office of Environmental.

Slides:

Advertisements

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Advertisements

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Understanding secure data erasure and end-of-lifecycle IT asset management.

Business Introduction Table of Contents Introduction to Green Data, Inc.1 Green Data Services2 Scanning3 Archiving & Storage4 Shredding5 Consulting6.

Aspects of Electronic Waste Disposal Lawrence P. Hayes P.E. E-Waste Experts, Inc.

Disclaimer Certain trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation.

1 © Jetico, Inc. Oy Military-Standard Data Protection Software Customer Challenges with Classified Data Spills.

Sanitizing Data from Storage Devices with a Live CD Brian Compton College of Technology – University of Houston Sanitizing Data from Storage Devices with.

1 X-Ways Security: Permanent Erasure Supervised By: Dr. Lo’ai Tawalbeh Prepared By :Murad M. Ali.

This presentation will take a look at to prevent your information from being discovered by and investigator.

NOAA Computer/Hard Drive Sanitization Validation Form and PDA/Cell Phone Destruction Worksheet.

Media Sanitization  NIST Guidance  Terms Defined  When is media under/not under your control?  Flowchart for decision making  Spreadsheet of.

Media Sanitization How to get rid of unwanted data so no one else can get it.

Records Management Basics 1 Jasmine Sourignavong, Division of Records Management Tre Hargett, Secretary of State.

Federal Acquisition Service U.S. General Services Administration January 2009 U.S. General Services Administration COMPUTERS AND ELECTRONICS DISPOSAL.

Disk Clearing and Disk Sanitization

EPA’S Work Related to Design, Procurement & Use, and End- of- life Management of Electronics GLRPPR Summer Conference August, 2005 Joe Bergstein USEPA.

Locking the Backdoor: Computer Security and Medical Office Practice Dr. Maury Pinsk, FRCPC University of Alberta Division of Pediatric Nephrology.

Developing a Records & Information Retention & Disposition Program:

Agenda Safe disposal practices for computers and information: –Removing files and folders –Disposing of computers –Disposing of other electronic devices.

Data Elimination 101. What Does Degauss Mean? Computer hard drives use magnetic fields to store data on special discs called platters. Degaussing is the.

Recycling Electronics and Asset Disposition (READ) Services An EPA Initiative.

 What is electronic data?  Information stored electronically, e.g. pictures, music, documents, etc.  Where can you store your data?  Cell phones 

Identify a few method to dispose of the hard drive of computers.

Equipment Surplus & Secure Media Destruction Michael Thorn, Data Security Specialist.

1st Choice Document Destruction, Inc (a member of the NAID Association) is proud to be an exclusive distributor for “The Guardian” Hard Drive Destroyer.

Data Deletion and Recovery. Data Deletion  What does data deletion mean in your own words?

National Property Management Association Disposing of Assets Containing Sensitive Information Kim Doner, CPPM SRA International.

 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.

Headquarters in Austin, Texas, Teksavers is a Trusted Leader in Technology Asset Recovery and Recycling Services. Our Staff Has Over 40 Years of Combined.

April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts

The Office Procedures and Technology

LAN / WAN Business Proposal. What is a LAN or WAN? A LAN is a Local Area Network it usually connects all computers in one building or several building.

Electronic Public Record What is it, and Where Can Agency Lawyers Find It?

Federal Acquisition Service U.S. General Services Administration REPORTING PERSONAL PROPERTY FOR DISPOSAL Eddie Panko Area Property Officer January 2009.

Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.

1st Choice Document Destruction (a member of the NAID Association) is proud to be an exclusive distributor for The Guardian Hard Drive Destroyer. Anyone.

Active KillDisk © v3.0 Active Data Security Solutions.

David N. Wozei Systems Administrator, IT Auditor.

Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

TEMPLATE DESIGN © Android Data Confidentiality Alex Mayer University of Houston Abstract Employees are increasingly relying.

1 Copyright © 2014 M. E. Kabay. All rights reserved. CSH5 Chapter 67 “Developing Classification Policies for Data” Karthik Raman & Kevin Beets Classification.

1 Maintain System Integrity Maintain Equipment and Consumables ICAS2017B_ICAU2007B Using Computer Operating system ICAU2231B Caring for Technology Backup.

Media Sanitization at the Idaho National Laboratory Jonathan Bates NLIT 2009.

Preventing Common Causes of loss. Common Causes of Loss of Data Accidental Erasure – close a file and don’t save it, – write over the original file when.

Data Destruction Is it really gone? Donna Read Chris Parker Florida Gulf Coast ARMA Chapter April 2013.

GCSE Information Technology Storing data Data storage devices can be divided into 2 main categories: Backing storage is used to store programs and data.

Microsoft Office 2008 for Mac – Illustrated Unit C: Understanding File Management.

1 st Choice Document Destruction th Avenue, Milaca, Minnesota Office: Cell:

1 Software. 2 What is software ► Software is the term that we use for all the programs and data on a computer system. ► Two types of software ► Program.

Research & Economic Development Office of Grants and Contracts Administration Data Security Presented by Debbie Bolick September 24, 2015.

Understanding Backup and Recovery Methods Lesson 8.

ISO/IEC 27001:2013 Annex A.8 Asset management

Managing a “Data Spill”

Information Management and the Departing Employee.

Sniper Corporation. Sniper Corporation is an IT security solution company that has introduced security products for the comprehensive protection related.

1 HIPAA Information Security Awareness Training “Good Computing Practices” for Confidential Electronic Information For All NXC Employees October 2011.

PRESENTED BY Raju. What is information security?  Information security is the process of protecting information. It protects its availability, privacy.

Handling Personal Data & Security of Information Paula Trim, Information Officer, Children’s Strategic Services, Mon – Thurs 9:15-2:15.

Alicia A. Coon COSC 480 October 27, 2006

Records Retention NYS Magistrates’ Association

Domain 2 – Asset Security

Archive / Destruction / Disposal

Records Management Basics

Jeopardy Data Hardware & Software Files and Folders Networking Q $100

Using Dban to securely overwrite data

Presentation transcript:

Environmental Symposium Data Security And Destruction Issues A.K.A. - Disk Sanitization Mike Caltabiano Environmental Protection Agency, Office of Environmental Information, Office of Technology Operations and Planning, Desktop and Collaborations Solutions Branch

2 Sanitization of Computers A large volume of electronic information is stored on computer hard disk and electronic media throughout the Environmental Protection Agency (EPA). Much of this information is sensitive to disclosure due to its confidentiality. Most of the software at EPA is licensed under special agreements which prohibit the transfer of this software outside of the Agency. All information and licensed software must be properly removed when disposing of computer systems with a hard drive. This is also applicable to all other electronic storage media including, Personal Digital Assistance (PDAs), Blackberries, removable media such as CDs, DVDs, Universal Serial Bus (USB drives), Zip drive media, Jaz drives, backup disks, diskettes and tapes.

3 Purpose for Sanitization? Unauthorized disclosure of certain information may subject the Agency to legal liability, negative publicity, monetary penalties, and the possible loss of funding. This procedure is designed to ensure that IT resources do not contain information of a confidential nature before being transferred outside of any US Environmental Protection Agency facility or region, for surplus or destruction. IT resources and electronic storage media will be cleaned of all information.

4 Background for Sanitization. Studies of disk sanitization indicate that simply deleting files from the media or formatting a hard drive is not sufficient to completely erase data so that it cannot be recovered. When you delete files in Windows by moving them into the Recycle Bin all data remains on the hard disk. Read more about disk sanitization practices in an article written by Simson L. Garfinkel and Abhi Shelat from the Massachusetts Institute of Technology.

5 Procedures Overwriting hard drives and electronic storage media utilizing Department of Defense (DOD) accepted software. Overwriting of data means replacing previously stored data on a drive or disk with a predetermined pattern of meaningless information, effectively rendering the data unrecoverable. After overwriting, the hard drive is still physically functional and can accept formatting. There are several algorithms of overwriting: Single Pass – data area is overwritten once with “1” or “0”. DoD Method – the data area is overwritten with 0’s, then 1’s and then once with pseudo random data. NSA erasure algorithm – data is overwritten seven times with “0” pattern then with “1” and so on. It is the best method for quick and secure deletion. Guttman Method – the data area is overwritten 35 times. This method overwrites the drive taking into account the different encoding algorithms used by various hard drive manufacturers.

6 Procedures continued Physically destroying (See Definitions) the storage media, rendering it unusable. Hard drives should be destroyed when protection can’t be reliably ensured; the technology is old or can not be handled by the available tools. Physical destruction must be accomplished to an extent that precludes any possible further use of the hard drive or storage media. We recommend physical destruction be performed by a “Hard Drive Destruction Service”. Performed by a shredding service.

7 Procedures continued Degaussing (See Definitions) a hard drive or storage media to randomize the magnetic domains – most likely rendering the drive or media unusable in the process. If they are defective or cannot be economically repaired or sanitized for reuse by the available tools, then the media will be degaussed and discarded possibly thru EPA’s Recycling Electronics and Asset Disposition (READ) services. For destruction of a CD/DVD, the most economical form of destruction is a CD/DVD shredder. Zip drive media, flash/USB drives should be physically destroyed if these devices cannot be sanitized via the DOD accepted overwriting software. If necessary, destruction of electronic storage media can include CELL Phones, PDA’s and Blackberries. Depending of the level of information that was stored on the device. Note: Drives with Classified or higher security data should be destroyed.

8 Recycling Electronics and Asset Disposition Services What EPA is doing; Recycling Electronics and Asset Disposition (READ) servicesRecycling Electronics and Asset Disposition (READ) services, EPA has awarded seven Government Wide Acquisition Contracts (GWACs) to small businesses (three nationwide, three in the eastern U.S. and two in western U.S.). The contractors are Molam International, Marietta, Ga.; Supply Chain Services, Lombard, ILL.; Asset Recovery Corporation, St. Paul, Minn.; Hesstech LLC, Edison, N.J.; Liquidity Services Inc., Washington, D.C.; Global Investment Recovery, Tampa, Fla.; and Hobi International, Batavia, ILL.

9 Recycling Electronics and Asset Disposition Services Under the READ contracts, companies will evaluate each item and its components,and then, in decreasing preference: refurbish and resell them, using the proceeds to offset costs; donate them to charitable causes; recycle as much as possible; and properly dispose of the remainder Contractors must maintain an audit trail to the equipment's final destination to document reclamation and recycling efforts. The contracts will also maximize revenues from usable electronic equipment currently in storage through a share-in-savings (SiS) program. Under SiS, the contractor will attempt to identify opportunities to save costs associated with recycling efforts and share those savings with federal agencies to offset recycling costs. The government-wide recycling contract will help federal agencies meet requirements of Executive Order 13101, "Greening the Government through Waste Prevention, Recycling, and Acquisition."

10 Overwriting for Sanitization EPA recommends but does not endorse the following products: Wipe Tools: WipeDrive –Windows Platform – DOD approved. Erases files, folders, cookies, or an entire drive. CyberScrub –Windows Platform – DOD approved. Erases files, folders, cookies, or an entire drive. Implements Gutmann patterns. DataScrubber –Windows, Unix Platforms – DOD Approved. Handles SCSI remapping and swap area. Eraserwww.heidi.ie/eraser –Windows Platform – Freeware- erases entire drive Unknown if DOD approved. A more comprehensive list of sanitation tools is available at

11 Sanitization Equipment EPA recommends but does not endorse the following products: Degaussing Tools: HD-1 All Media Degausser The HD-1 erases virtually all formats of tape, diskettes and hard-disks up to 160 GB. Please note; hard drives are not reusable once degaussed. Model 8000 Hard Drive/Media Degausser The Model 8000 Table Top unit is a low noise, compact unit with “industrial strength” flux fields and features a foot-control for hands-free operation. Tools used for CD/DVD shredding: PRIMERA Disc Shredder – DS360 Aleratec DVD/CD Shredder Plus XC Kobra 240 SS4 HSM Model Shredder Intimus 502CD CD Shredder Olympia 1500 CD Shredder

12 Degauser for Sanitization

13 Degaussing A rented Degausser with hard drive

14 Definitions Sanitization, sanitized – is the end result after all data is obliterated. Including all associated file system structures, operating system formatting and information from fixed disk or electronic storage media. Physical destruction – destroying the item by physical force. For example, removing the hard drive from a computer and strike it with a large device to break it and the platters to small pieces. The best process is Disk Drive Shredding. Degaussing is a process whereby the magnetic media are erased, (i.e., returned to a zero state). Degaussing (demagnetizing) reduces the magnetic flux to virtual zero by applying a reverse magnetizing field. Properly applied, degaussing renders any previously stored data on magnetic media unreadable by keyboard or laboratory attack. A degausser is an electro-magnetic device used for this purpose. Sensitive data – includes; Confidential Business Information (CBI), research information, procurement information, contract information, contract awards, incentive awards, personnel data, OIG related information, human resource information (SSN, etc), privacy act information and any other information that should not be released to the public.

15 Waivers for Sanitization Waivers will not be considered!

16 Sanitization of Computers and Electronic Storage Media Practices at EPA Sanitization Policy in development Recommend the DOD approved overwrite method for all non- classified PC hard drives OEI/Office of the CIO uses Wipe Drive prior to reuse of recycling the PC. NOTE: Anything categorized as National Security Information Systems is not covered by this procedure.