|
secure
disposal
As with the secure
retention of information, there is no bright line
that separates "secure" from "insecure"
forms of disposal. For each storage medium there are more
and less secure methods.
What is appropriate
in a particular situation depends on the sensitivity of the
information at issue, and the perceived threats to it. The
more secure methods generally cost more to implement, both
in time and explicit expense, so there is a trade-off. (A
table of the methods, by type of storage medium, is provided
here.)
In the end, only
total physical destruction affords total security. For its
most secret information, the US government requires that one
"[d]isintegrate, incinerate, pulverize, shred, or smelt."
(US DoD standard 5220.22-M) That is not always a practical
option, especially if one aims to recycle or resell.
Consider the old
world first: paper remains a storage medium in legacy records
systems. And ever-cheaper computer printers and photocopiers
make "getting it on paper" common even in facilities
with fully-electronic records systems.
Paper containing
sensitive information should be shredded. Strip cut shredders
(also called straight cut or spaghetti cut) render paper into
thin, long strips. Cross-cut shredders (also called confetti
cut) provide both length-wise and width-wise dismemberment
-- generating from a few to many hundreds of pieces per shredded
page. (Cross-cut units make re-assembly much more difficult,
but are, unfortunately, slower than strip-cutters, more expensive,
and require more maintenance.)
For additional
security, paper records can be pulverized (rendered into a
powder by grinding), macerated (rendered into pulp by chemicals)
or incinerated (burned).
It is a policy
decision as to which method is sufficient, as well as whether
the destruction should be done in "distributed"
fashion (e.g., by small shredders located near each person's
desk), or at a central location. Obviously, paper awaiting
removal to such a central location can be vulnerable until
it makes that trip.
Now, the new world.
Electronic storage for computer devices is provided by an
ever-broadening range of media; the appropriate "cleansing"
method depends on the type. The main division is between "magnetic
media" and "optical media."
Removable magnetic
"disks" (floppies, ZIP disks, and the like) and
magnetic tapes (reels, cartridges) can be "degaussed"
by an appropriately-sized and -powered degausser. (Such machines
derive their name from Carl Friedrich Gauss, the German mathemetician,
astronomer and scientist who made major contributions to the
fields of electromagnetism and geomagnetism among many others.)
Such units come
in a range of degaussing power and throughput capacities (how
long it takes for each operation). "High coercivity"
magnetic media require more powerful degaussers to achieve
cleansing effects. (Coercivity is measured in "oersteds,"
after the Danish physicist who discovered that a current through
a wire could deflect a magnetized needle. The phenomenon inspired
the development of electromagnetic theory.)
As with disposal
of paper information, there are trade-offs rather than absolute
standards for "erasing" magnetic media. The more
powerful and lengthy the degaussing process applied to any
given type of storage media, the less likely is subsequent
recovery by others.
"Fixed"
internal magnetic storage (such as computer hard drives),
as well as removables, can be cleansed instead by a re-writing
process. Software is used to over-write all the usable storage
locations of a medium. The simplest method is a single over-write;
additional security is provided by multiple over-writes with
variations of all 0s, all 1s, complements (opposite of recorded
character), and/or random characters.
Most "secure
file deletion" software offers a choice of more and less
secure over-writing. More secure methods take more time, given
the multiple over-write operations, so again there is a tradeoff.
(Note also that the quality of the over-write algorithms offered
by alternative products varies. Even an organization that
allows "distributed" processing of magnetic media
in this fashion may wish to endorse only a limited set of
products.)
An increasingly
diverse range of removable "solid state" storage
devices is also now available. These "flash memory"
devices are solid state in that they have no moving parts
(unlike a floppy disk's rotating surface), are reasonably
fast (in the same speed ballpark as a hard disk) and are non-volatile
(the memory maintains data even after all power sources have
been disconnected).
Examples
today include CompactFlash, Memory Stick, Secure Digital,
SmartMedia and other types of plug-ins, and a range of "mini-"
and "micro-drive" devices that use USB or FireWire
ports. Secure over-writes (following manufacturer specifications)
are possible for these media as well.
Neither degaussing
nor over-writing offers absolute guarantees. Some theorize
that with appropriate time and hardware (e.g., an electron
microscope), anything can be recovered. Unless, of course,
one is willing to "[d]isintegrate, incinerate, pulverize,
shred, or smelt." As with paper, the method of disposal
depends on the perceived risks of discovery, and estimates
of the types of threat (e.g., 8th-graders with too much free
time, or operatives of a foreign government).
A few kinds of
"write-many" optical media (such as CD-RWs and DVD-RWs)
can be processed via an over-write method. This is not the
case for the vast majority of "write-once" optical
media in use (notably the ubiquitous CD-R). Because such media
are optical rather than magnetic, neither can they be degaussed.
For the write-once variety, only physical destruction will
do. (Higher-capacity paper shredders are rated for CD/DVD
destruction for exactly this reason.)
Unfortunately,
given the range of media and the range of cleaning methods,
choices about appropriateness probably cannot be left to the
common-sense determinations of each person. Organizations
should have specific policies -- one important component of
which will be the degree to which "do it yourself"
methods are permitted, rather than central administration
of cleansing functions.
See also:
|
