Appendix B – Data Sanitization requires a quality control process to sample a small percentage of the devices logically sanitized, or “wiped,” to verify that data is not recoverable.  This is an important element of the sanitization process to ensure that it is effective, and no residual data remains on the device after processing.

Specifically, requirement (13) of Appendix B states:

“A minimum of 5% of logically sanitized data storage media shall be routinely sampled by competent and independent party to demonstrate data is not recoverable by commercial software…”

Experience has shown that various failures in the sanitization process such as a misconfiguration of software settings, power outages or network disruptions during processing, and even human error can result in an incomplete wipe, leaving data on the device.  The intent of the verification requirement is to use data recovery software that is designed to scan the media and recover lost files, to assess sanitized devices and confirm there is no data that can be recovered.  Data recovery software is not the same as data wiping software.  However, The standard does not specify that separate software is required, however, in practice it may be required in order to attempt the data recovery.  A quick search of the Internet for data recovery shows a number of products that could be used to fulfill this requirement.  Often, data recovery software is free to scan the device and only costs when you want to actually recover the data.

For the sampling process to be effective, it must be performed by someone competent, which is often somebody with technical knowledge by education or experience.  And, the individual must also be independent of the sanitization process.  Meaning one worker performs the sanitization, while another worker performs the sampling and verification.  And, where a facility lacks a qualified, independent operator to perform the verification, it may need to contract with an external resource to provide this capability.  An effective sampling process must also evaluate each type of media, software and process used for sanitization.  And, the process should include samples from each operator and station performing the logical sanitization.

The frequency of sampling should be consistent with standard sampling methodology.  It starts with 5% of device sanitized for a defined period of time.  For example, if 1000 devices are sanitized in 1 week, the minimum sample size would be 50 devices from that week.  If the data recovery software does not detect any data on any of the devices through this sampling, then there can be confidence that the sanitization process has been effective.  And, after continued sampling and where no issues are found with the process, the sample size can be decreased to as low as 1% of the devices sanitized.  For example, if 1000 devices are sanitized in 1 week, the minimum sample size could be reduced to 10 devices from that week.

Where any remnants of data are identified on any of the devices sampled, the effectiveness of the entire sanitization process is put into question.  Previously processed devices would need to be further assessed to identify any that contain residual data and require further sanitization.  And, the facility would need to initiate its nonconformity process and conduct a detailed root cause analysis to identify the failure that caused the data to not be effectively sanitized and to determine suitable corrective actions.

Following any issues with the sanitization process discovered through the sampling, the facility needs to  reinstitute an increased sampling and verification process.  The increased sampling needs to be maintained until corrective actions have been implemented, continued sampling demonstrates effectiveness of the actions in properly sanitizing all devices and no further issues of residual data are identified.

RELATED QUESTIONS & ANSWERS…

Q:   Appendix B – Data Sanitization refers to two types of sanitization, logical and physical, what is the difference between the two?

Logical data sanitization is where a software program is used to overwrite data storage media in a systematic way so that the software can verify that any previous data on the device has been replaced and eliminated.  The logical sanitization process targets the elimination of the data itself but leaves the device intact and therefore it is able to be reused.  Logical sanitization is required for any media that is destined for reuse.

The primary difference with physical sanitization processes is that generally they target the media, by destroying it and making it physically inoperable and the data unrecoverable.  Due to the destructive nature of physical sanitization processes they can only be used for items destined for materials recovery.

Q:   Is a factory reset or manual clearing of data considered “logical sanitization”?

No.  While a factory reset or manual clearing can eliminate access to certain data through the device’s user interface, it does not guarantee that the data has actually been sanitized.  In some cases, these methods only eliminate directories or other pointers to the data, but not the data itself, including any backups or hidden files.  It is for this reason that specially designed sanitization software must be used to perform the logical sanitization and verify that the data has been eliminated.

Q:   If my facility certifies to Appendix B for data sanitization, are we required to conduct both logical and physical sanitization?

 No.  Since each method of sanitization requires specialized skills and equipment to perform, not all facilities will be equipped to perform both logical and physical sanitization.

Note that where only logical sanitization is performed, the facility must have a downstream vendor qualified in accordance with the requirements of Appendix B to physically destroy any items where logical sanitization is not successful.

Q:   Is every device required to be both logically and physically sanitized?

No.  If media is destined for reuse, it must be logically sanitized in accordance with Appendix B, as well as tested and repaired in accordance with Appendix C prior to reuse.

However, if a device is destined for materials recovery, it only needs to be physically destroyed in accordance with either an Appendix B (7) method or one of the approved NIST methods, as per Core 7.(c)(2)(B).

One instance where a device would be subject to both methods, is if the logical sanitization process is unsuccessful in eliminating all of the data, and as per Appendix B (14), the device must then be destroyed in accordance with the physical sanitization requirements instead.

 Q.   What are some of the key quality controls required for the data sanitization process?

There are several quality control requirements within the R2v3 Standard that apply at different points within the data sanitization process and are together used to verify the results of the data sanitization activities and validate the effectiveness of the process overall.

The demonstration of an effective data sanitization process begins with the generation of records from the sanitization activities as required under Core 7.(a)(1)(L).  These records provide evidence that the identified devices were effectively sanitized through the defined process.  However, these records are specific to the devices processed and are not an indication of how well the sanitization process is working overall.

As a result, the R2 Facility must define and document in its Data Sanitization Plan the verification and validation activities required to ensure that all devices requiring sanitization are properly managed throughout the entire process.  Core 7.(c)(3), Appendix B (1)(b), Appendix B (13) and Appendix B (15) provide additional levels of verification of the effectiveness of the data security controls and the sanitization process on an ongoing basis.

• • Core 7.(c)(3), requires an annual internal audit be conducted by a competent and independent auditor to validate the effectiveness of the data security controls and the entire data sanitization process, and to confirm conformance with all data requirements. For instance, the process validation should look at all aspects of the sanitization process, such as whether all data devices were correctly identified; the data to be sanitized from each device was clearly identified; the correct sanitization software was used; the software was updated and properly configured; the sanitization technician was trained and competent in the process; pre-sanitized and sanitized devices were properly identified and managed; and the process resulted in the elimination of all data as intended.
  • Appendix B (1)(b), requires that documented quality controls be defined in the Data Sanitization Plan to assess and verify the effectiveness of the data sanitization process.
  • Appendix B (13), requires a minimum of 5% of logically sanitized devices be sampled by a competent and independent party to demonstrate that data is not recoverable from the devices.
  • Appendix B (15), requires the implementation of the quality controls defined in the Data Sanitization Plan to confirm that all devices were processed as planned.

Together, this multifaceted approach will help an R2 Facility to ensure all data devices are properly identified, managed and effectively sanitized.

Q.   Does the internal data security and sanitization audit required in Core 7.(c)(3) need to be conducted by a third-party from outside of our organization?

The internal audit can be conducted by an internal employee (keeping in mind that an individual is not permitted to audit or validate their own work).   Only the Downstream Vendor Audit required in Appendix A (8)(d)(2)(A) needs to be conducted by a third-party.

Q.   For the routine sampling of logically sanitized devices under Appendix B (13), does a confirmation of the wipe from the sanitization software suffice, or is there an expectation to use a different software that attempts data recovery?

This sampling process is intended to be more than simply verifying the sanitization records and reports generated by the sanitization software.  While those activities are good quality controls, on their own, they are not sufficient to demonstrate that data is not recoverable.

It is also important to note that the sampling is not intended to be a repeat of the sanitization process, but rather a separate process to test and demonstrate with “commercial software”  that “data is not recoverable.”  The standard does not specify that separate software is required, however, in practice it may be required in order to attempt the data recovery.