Three Methods to
Securely Sanitize &
Dispose of IT Equipment

The surge in telecommuting and the heightened threat from cybercriminals in the wake of the global pandemic has put data privacy and security concerns at the forefront of businesses. To help mitigate potential risks, many organizations are detecting vulnerable access points that could lead to a data breach.

One access point often overlooked is sensitive information on decommissioned endpoint devices such as laptops, desktops, mobile phones, tablets and servers. This may include:

  • Personally identifiable information (PII): Data that could be used to identify, contact or locate an individual or distinguish one person from another
  • Personal health information (PHI): Medical history, insurance information and other private data collected by healthcare providers that could be linked to a certain person
  • Personally identifiable financial information (PIFI): Credit card numbers, bank account details or other data concerning a person’s finances

Sanitization and Disposition Options

When technology equipment is no longer in use, implementing stringent media sanitization and disposal protocols is a vital step to minimize the chance of data theft. To help ensure compliance with industry regulations and certify sensitive information doesn’t wind up in the wrong hands, organizations should follow the three sanitization methods recommended by the National Institute of Standards and Technology (NIST) Media Sanitization Guidelines.

1. Clear

Clearing data is the most common sanitization method and involves the use of software or hardware products to overwrite user-addressable storage space on media using the standard read/write commands on a device.

For hard disk drives (HDD), the security goal is to render the data irretrievable with at least a single write pass by replacing the target data with non-sensitive data such as a series of zeros. For solid-state drives (SSD), or if a company requires higher security measures be taken, multiple write passes or more complex values may be used to ensure data is completely erased.

For mobile devices or other office equipment in which rewriting is not supported, following the manufacturer procedures to reset the storage device to its factory state may be the only option to clear the device and associated media.

  • Pro: An easy and cost-effective option that can be performed on-site by trained IT staff to overwrite data on storage medium.
  • Con: Overwrite may not provide complete sanitization for all media types and sizes and cannot be used for media that is damaged or not rewriteable.

2. Purge

Purging data is accomplished by using a variety of logical and physical techniques to render target data infeasible to recover, even in a laboratory environment.

The way media is purged varies by media type and may include overwrite, block erase, and Cryptographic Erase. These techniques bypass the abstraction inherent in typical read and write commands to sanitize the device and require the removal of hidden areas of drives such as Host Protected Areas (HPA) or Device Configuration Overlays (DCO), if they’re present.

  • Pro: A highly effective option for confidential data since it provides a more thorough level of sanitization than Clear.
  • Con: This method may render some types of devices inoperable which eliminates any potential end-of-life value.

3. Destroy

The destroy method is the complete physical destruction of media. Not only will the information be unrecoverable using laboratory techniques, but it also hinders the reuse of the media itself.

The application of destructive techniques and procedures vary based on the media type and may be the only option when Clear and Purge methods cannot be effectively applied to the media—or when the verification of Clear or Purge methods fail. These techniques are highly specialized and are best carried out at a licensed facility with the capabilities to securely and safely disintegrate, pulverize, melt, and incinerate media.

One exception is flexible media (e.g. diskettes) which can be destroyed using a paper shredder once it is physically removed from its outer containers. It’s important to note that the shred size of the refuse should be in proportion to the confidentiality of the data and provide reasonable assurance that the data cannot be reconstructed. As an added measure, the shredded material can be mixed with non-sensitive material (e.g. shredded paper) to make data recovery even more difficult.

  • Pro: There is no way to recover data or the media itself since it goes through the physical process of shredding, disintegration, pulverization, melting or incineration.
  • Con: Media destruction and disposal requires state-of-the-art machinery and an experienced, certified IT asset disposal (ITAD) provider to successfully perform these services.

How We Can Help

Data plays a vital role in every business, but without an effective plan for retired IT equipment your organization could be at risk of losing sensitive information.

At Huntington Technology Finance, we work with you to develop a technology refresh strategy that includes asset chain of custody and accountability through certified ITAD providers, so you can be certain media is sanitized and disposed of in accordance with NIST guidelines.


Are you ready to advance your operations?
We’re here to help.
Contact Us

SOURCES:

† “Data Privacy: Why is Everyone So Concerned?,” Netwrix, August 2019.

‡ “NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization,” National Institute of Standards and Technology, December 2014.

¶ “What is NIST 800-88 and What Does “Media Sanitization” Really Mean?,” Blancco, May 2019.

All lending products are subject to application and credit approval.

The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL HAVE LIABILITY FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.

Third-party product, service and business names are trademarks and/or service marks of their respective owners.

Huntington Technology Finance℠ is a service mark of Huntington Bancshares Incorporated. circadia iconCircadia® is a federally registered service mark of Huntington Bancshares Incorporated. Circadia℠ is a service mark of Huntington Bancshares Incorporated.