CISSP certification: Data disposal.

Data Destruction:

When we no longer need a certain media, we must dispose of it in a manner that ensures the data can’t be retrieved. This pertains to both electronic media and paper copies of data.

• Paper disposal.
  • It is highly encouraged to dispose of ANY paper with any data on it in a secure manner.
  • This also has standards and cross shredding is recommended.
  • It is easy to scan and have a program re-assemble documents from normal shreds like the this one.
• Digital disposal – The digital disposal procedures are determined by the type of media.
  • Deleting, Formatting and Overwriting (Soft destruction):
    • Deleting a file just removes it from the table; everything is still recoverable.
    • Formatting does the same but it also puts a new file structure over the old one. Still recoverable in most cases.
    • Overwriting is done by writing 0’s or random characters over the data.
      • As far as we know there is no tool available that can recover even single pass overwriting (not possible on damaged media).
  • Degaussing destroys magnetic media by exposing it to a very strong magnetic field.
    • This will also most likely destroy the media integrity.
  • Full physical destruction is safer than soft destruction:
    • Disk Crushers do exactly what their name implies: they crush disks (often used on spinning disks).
    • Shredders do the same thing as paper shredders do, they just work on metal.
      • These are rare to have at normal organizations, but you can buy the service.
    • Incineration, pulverizing, melting and acid are also (very rarely) used to ensure full data destruction.
• It is common to do multiple types of data destruction on sensitive data (both degaussing and disk crushing/shredding).
• While it may not be necessary, it is a lot cheaper than a potential $1,000,000 fine or loss of proprietary technology or state secrets.