Question: Wiping Standards

[ZeRoeFeX]

Hi,

I wondered if anyone could clarify if this would be a feasable solution for a corporate enviroment (small amount of wipes)? Does it meet any NIST/CESG standards? I am struggling to find if the standards relate to the wiping method or the brand (e.g Blancco).

Thanks,

[PartialVolume]

As I understand NIST it's really about the organisations own policies on data destruction. There is no particular wipe method or program specified as it's up to you to decide what's most appropriate. Taking a extreme. For military
Hard disc wiping there should be only one option. The hard drive never leaves the site and is totally destroyed but it depends, risk analysis needs to be performed to determine the pros and cons. Same may apply to the financial world, I don't know.

I believe it does mention the program providing a certificate along with name of operator etc.

It's been a while since I read the NIST documents though.

What do others think?. If you have read the entire NIST documentation could ShredOS call itself NIST compliant. Can any wipe program call it's self NIST compliant?

[Firminator]

The NIST 800-88Rev1 PDF lays out how to wipe. The minimum recommended is overwrite with zeros which should cover most cases. ShredOS and all others wipers out there can do this. Most 95% of wiping tools can also perform DoD wipes (overwrite with 0, then 1, then random). Every country has their own standard which are variations of the 0,1,random wipe scheme. Some standards add an additional verification at the end which is the default for ShredOS.
Well.. unless your org has requirements (written policy) and fears (risk analysis!) that nation-state agencies or your biggest competitor with loads of money and specialized equipment will try to get hold of your drive(s) and perform some kind of magic and try to recover bits and pieces from your storage medium... in that case you'll have to decide per the NIST guidelines what wiping mehtod is appropriate for you.

[Firminator]

Also note that depending what kind of drive you have (spindle HDD or SATA SSD or newer NVMe storage) the wiping methods can change and require you to use drive's build-in SecureErase. Since most SecureErase implementations in the drive's firmware are proprietary, closed-source, buggy (as per research papers on this topic), and at the end of the day a trade-secret which results that no besides the developers behind closed doors will ever be able to inspect, it's just not verifiable what they actually do. Hence our recommendation to run an additional overwrite with zeros after using the SecureErase feature.

[ZeRoeFeX]

Thank you both for your replies, there is so much documentation from different agencies it is hard to work out what we would need to use. For instance Blancco would recommend to use CESG CPA – Higher Level in the UK however some competitors say to use HMG Infosec Standard 5, Higher Standard (I presume this is HMG IS5 enhanced on ShredOS?).

I guess the main thing is as long as the wipe method meets the requirements the product you use doesn't matter.

I appreciate both your speedy replies. Thank you for all your hard work!