How to destroy data when no longer needed 2307

  • Hi,
    I’m working with several SoX compliant companies and have been asked a question, the answer to which is not immediately clear.
    Once data which should be kept private is no longer needed, how is one to go about destroying the data?
    The only (electronic) data destruction guidelines I’ve been able to find are in NIST 800-88, but I would think that Sox, HIPPA, GLBA and other regulations would have guidelines.
    Any pointers or opinions will be greatly appreciated.
    Thanks in advance,

  • Burn it… Literally
    If there is any regulator requirement w.r.t destruction of records/ media, it takes precedence, else, a well documented data/ media destruction policy can be adopted, where, periodic review of expired data/media can be carried out, if data ownership concept is practiced, approval of the data owner can be obtained and the data be deleted/ media destroyed by the data custodian.
    If u intend to reuse media, it needs to be formatted( they say a couple of times helps, dunno how).
    Hope this helps

  • Hi,
    The National Institute of Standards and Technology established Guidelines for Media Sanitization and the document can be found online by performing a search on ‘NIST Special Publication 800-88.’ or at:
    csrc dot nist dot gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
    The guidelines in the document identified above can be used to assist organizations in implementing a media sanitization program with proper and applicable techniques and controls for sanitization and disposal decisions, considering the security categorization of the associated system’s confidentiality.
    The objective of the publication is also to assist with decision making when media require disposal, reuse, or will be leaving the effective control of an organization.
    The document asserts that organizations should develop and use local policies and procedures in conjunction with the guide to make effective, risk-based decisions on the ultimate sanitization and/or disposition of media and information.
    Hope this helps,

  • Hi and welcome to the forums 🙂
    This is a good question and some good advice has been shared as noted above. SOX doesn’t provide specific guidelines, as the standards are written generically to cover a wide range of diverse companies and their technical architectures.
    From an IT perspective, the techniques used will vary based on the media the information resides on, and the general physical/network security controls employed. The following are examples:

    • In a mainframe or server environment, security controls might be adequate so that sensitive files (on non-removable media devices) that are no longer needed can be safely deleted, e.g., without having to reformat the entire drive or ‘start a fire’ - as NC notes 😉
    • For removable media or devices like laptops, NC offers an excellent point of being able to ‘undelete’ files - even after formatting. You can purchase software that will physically rewrite tracks to binary zeroes and that’s actually the best advice is there’s any chance of either media or a device being reused for a less sensitive purpose.
    • Some of the products below might help for reformatting PCs with sensitve files that you want to safely discard or reuse:
      Please copy this link to browser
      hard drives

Log in to reply