The Modern Data Destruction Standard – NIST 800-88

by Dag Adamson, President, LifeSpan Technology Recycling

In January of 1995, as the result of a presidential order, the U.S. Department of Defense introduced the National Industry Operating Program Operating Manual (NISPOM), more commonly known as the “DoD 5220.22.M” standard. This new standard, developed collaboratively by the government and industry, offered new and improved operational guidelines and processes to securely safeguard our nation’s government technology and information. The standard addresses the protection of atomic energy, nuclear weapons and other highly sensitive confidential information held by the Dept. of Defense, the Dept. of Energy and other government entities.

At first glance, the standard’s reliance on government processes to ensure information security may seem somewhat arcane. To the contrary, the two page chart found in the back of the 135 page document has perhaps made the most significant impact on the data destruction industry. In this chart, there is a variety of storage media listed with two adjacent columns – one labeled “clear” and another “sanitize”. It is actually one line in this chart that indicates hard drives, can be ”cleared” with a single pass data overwrite data and can be “sanitized” with a three pass data overwrite.

Ironically, the document does very little to discuss when a single-pass is appropriate and when a triple-pass is appropriate. In fact, during the 2006 National Association of Information Destruction (NAID) annual conference in Scottsdale, Arizona, one of the most highly regarded and leading researchers in data destruction and forensics science, Simson Garfinkel Phd (co-author of “Remembrance of Data Passed: A Study Disk Sanitization Processes”, IEEE 2003 and presently a professor at Harvard) was asked by the author of this article about the scientific significance between a single-pass and a triple-pass. Garfinkel explained that he had located original members of the 5220.22.m standards team and had asked how a single-pass and triple-pass standard was determined to be an appropriate methodology. The response was, “it sounded like a good idea.” In fact, there is no documented scientific evidence that either single or triple-pass is superior at securing data.

In 2006, the 5220.22-m standard was updated and revised. The chart that discussed a 1-pass and 3-pass overwrite was removed. For more than 5 years, the number of hard drive overwrite passes has not been in the DoD 5220.22-m standard.

By the fall of 2006, as the result of a sponsorship from the Department of Homeland Security, a new standard for a practical approach to information security and media sanitizations was introduced by the National Institute of Standards and Technology. The objective of the NIST 800-88 standard is to provide an effective framework and an effective decision making process to handle media that will be ultimately reused or disposed of.

Key sections of the standard include:

• Section 1 explains the authority, purpose and scope, audience, and assumptions of the document, and outlines its structure.
• Section 2 presents an overview of the need for sanitization and the basic types of information, sanitization, and media.
• Section 3 provides general information on roles and responsibilities that influence sanitization decisions.
• Section 4 provides the user with a process flow to assist with sanitization decision making.
• Section 5 provides a summary of several general sanitization techniques.

• Appendix A contains a matrix of media with minimum recommended sanitization techniques for clearing, purging, or destroying various media. This appendix is to be used with the decision flow chart provided in Section 5.
• Appendix B contains a glossary defining terms used in this guide.
• Appendix C contains a listing of tools and external resources that can be referenced for assistance with media sanitization.
• Appendix D contains information sanitization considerations for a home user or telecommuter who may not have access to organizational resources.
• Appendix E contains a listing of sources and correspondence that was essential in developing this guide.
• Appendix F contains a sample sanitization form for documenting sanitization activities in an organization.

Two key distinctions about NIST 800-88 are noteworthy:

1. The standard offers a process and a way to think about what methodology(ies) are appropriate for data destruction requirements
2. Today’s media can be effectively cleared by one overwrite

The ultimate conclusions from NIST 800-88 are:

1. Process should be the main component of effective data destruction rather than the number of data overwrites
2. A single pass overwrite is suitable for data destruction, saving time and money while providing secure data destruction

Much of the data privacy and compliance industry has focused on a 15 year old standard, DoD 5220.22-m that was retired long ago. It is promising that a newer standard, NIST 800-88, is available and can provide guidelines for better decision making and policy development for effective data privacy and destruction.

Thailand Floods to Significantly Impact HDD Industry

This is a Press Release edited by StorageNewsletter.com on Tue, October 18th, 2011

 http://www.storagenewsletter.com/news/miscellaneous/thailand-floods-to-significant-impact-wd

For WD only: primary manufacturing site inundated, second site at risk

Western Digital Corp. has extended the suspension of its operations in Thailand.

Over the weekend, rising water penetrated the Bang Pa-in Industrial Park flood defenses, inundating the company’s manufacturing facilities there and submerging some equipment.

At the other company manufacturing location in Thailand, Navanakorn Industrial Park, the park flood defenses were breached on Monday morning local time and water has begun to flow into the park threatening the company’s facilities there.

All WD employees in Thailand remain safe.

The company’s other facilities in Malaysia, Singapore and the U.S. are fully operational.

The company now expects that the flooding of its Thailand facilities, combined with flood damage to the company’s supply chain in Thailand, will have significant impact on the company’s overall operations and its ability to meet customer demand for its products in the December quarter.

The company will provide further updates on the situation on its investment community conference call on Wednesday, October 19, 2011.

Our comments :

The HDD industry never encounters such a natural disaster in its history. Earthquakes in Japan had a minor effect compared to what’s happening in Thailand.

                                     WD factory
           in Bang Pa-in Industrial Park in September 2008

                     Aerial photo shows flooded factories
               at Bang Pa-in Industrial Estate in Ayutthaya
                            (Source: Bangkok Post)

All HDD manufacturers – but Samsung – and a lot of components’ makers are afffected and it’s also a drama for their hundreds of thousands of employees. 25% of all HDD assembly facilities are located in Thailand.

WD, with both plants about 27 miles North of Bangkok and 37,000 workers, is especially hurted, but also Seagate (significant supply chain disruption), Toshiba (HDD assembly), Hutchinson (suspensions for hard drives), as well as chip manufacturers ON Semiconductor (power transistors for disk head positioners) and Microsemi (converters). And we have no news of Asahi Glass and Hoya in disk media manufacturing, as well as Minebea in motors for HDDs.

For the others:

Furukawa, in disk media, stated: “Four production facilities at the Rojana Industrial Park in Ayutthaya have sustained damage from inundation and have suspended operations.”

At TDK and Magnecomp, “the operation of both the Wangnoi Plant of TDK Thailand Co., Ltd. and the Wangnoi Plant of Magnecomp Precision Technology Public Co., Ltd. are suspended from October 13th for the sake of ensuring safety of the employees although both plants suffered no damage to their facilities or equipment,” and ”the Rojana Plant of TDK Thailand Co., Ltd. and the Rojana Plant of Magnecomp Precision Technology Public Co., Ltd. are still unknown, for access to both plants are still not possible. Due to the flood, both plants are inundated and operation is suspended since October 9th.”

Operation of TDK with 1,600 people in Rojana Industrial Park for HDD motors has been suspended since October 7.

For Nidec (HDD motors) in Rojana and Ayutthaya, factories have been partially or totally inundated and people evacuated and/or activity suspended.

Furthermore, transportation and utilities have also been affected in the country.

Obviously, this drama will boost the prices of the disk drives and lead to shortages for PC companies in the next months, as WD is the number one manufacturer in the world in units shipped and producing 60% of its units in Thailand, mainly for PCs. Competitors Seagate, Hitachi GST, Samsung and Toshiba could take advantage of the situation.

In a recent note, Fang Zhang, storage analyst at IHS, wrote: “Thailand, the world’s second largest exporter of HDD behind China, has experienced its worst floods in more than 50 years, potentially leading to a shortage of HDD supplies during the current quarter that may last into the first quarter of 2012. While it is too early to gauge the extent of the impact of the floods, HDD supplies are likely to be constrained throughout the fourth quarter. The current IHS HDD forecast, developed before the disaster, calls for production of 176.2 million hard drives during the fourth quarter, representing 25.9% of annual manufacturing in 2011. IHS likely will downgrade its fourth-quarter production forecast in light of the impact of the disaster.”

He also said that Toshiba was affected:” Western Digital Corp. and Toshiba Corp. have temporarily halted production of HDDs in Thailand, impacting a major portion of global hard drive manufacturing. The companies operate HDD assembly facilities in Pathum Thani province near Bangkok. Toshiba employs about 3,900 workers in Thailand, and approximately 50% of the company’s manufacturing capacity is in the country. In the second quarter, Toshiba was the No. 4-ranked HDD supplier, with 17.8 million units and a 10.6% share.“

The Bangkok Post also wrote that Gartner forecasts that supply disruptions caused by the Thai floods will trim HDD shipments worldwide by at least 10 million units from the previous fourth-quarter target of 180 million. The full-year estimate had been 683 million units.

Will it impact current operations consolidating the industry (WD and Seagate to acquire Hitachi GST and Samsung HDD business respectively)? As there are only five HDD makers, the manufacturing facilities are concentrated in few huge component and assembly plants, about all of them in China, Malaysia, Philippines, Singapore and Thailand. The consolidation in the industry with only three makers remaining is more risky in case of other disasters like these Thailand floods.

WD’s shares are falling and the company needs to be in good financial health to pay as much as $4.3 billion to get HGST.

Locations of HDD and Components
Manufacturing Facilities in Thailand

Hitachi GST

• Prachinburi (HDD assembly)
• Saha Union (HDD assembly)
• Sarawak (disk media)

Seagate

• Korat (HDD assembly and disk heads)
• Korat (disk heads)

Toshiba

• Navanakorn or Pathum Thani? (HDD assembly)

WD

• Navanakorn (HDD assembly)
• Bang-pa In (HDD assembly and disk heads)

Asahi Glass

• Bangkok (disk media)

Furukawa

• Rojana (disk media)

Hoya

• Changmai (disk media)

TDK

• Rojana (disk media)

Minebea

• Rojana (motors)

Nidec

• Rojana (motors)
• Ayutthaya (motors)

Hutchinson

• Ayutthaya (suspensions)

Magnecomp

• Rojana (suspensions)

Min Aik

• Ayutthaya (HDD components)

Cal-Comp Electronics

• Bangkok (PCBA)

Target to Pay $22.5m for Improper Disposal of Hazardous Waste & Electronics

The Target Corporation has agreed to pay out $22.5 million in penalties, concluding a two-year suit brought against the company by several California law enforcement agencies over charges that the company improperly disposed of hazardous waste and electronics at over 240 stores in California since 2001.

According to E-Scrap News:

Since 2001, Target was served with more than 300 Notices of Violation for breaking California’s hazardous waste control laws,     according to the state attorney general’s office. Then-California Attorney General Jerry Brown launched an investigation into the company in 2006 in concert with local district attorneys. The investigation conducted by the law enforcement agencies found that in an effort to cut costs, Target improperly dumped thousands of pounds of hazardous waste, leading to the lawsuit.

“Further investigation found that Target also disposed of its hazardous waste by dispensing it to local charities, who in turn simply discarded it. The lawsuit alleged that Target engaged in unlawful disposal practices to sidestep the cost of proper hazardous waste disposal,” reads a statement on the Ventura County District Attorney’s office, one of the agencies involved in the action against the retailer.

The complaint against Target cites, as an example of the retailer’s problems, an instance where employees at a store in Monterey County allegedly put e-waste in a compactor that was then taken by a garbage hauler not authorized to transport such materials to a destination not authorized to accept it.

The settlement money, which will be divided among local affected jurisdictions, also covers supplemental projects furthering consumer and environmental protection in the state. Additionally, Target must hire an outside firm to audit its waste-handling practices.

 

Data Breach Costs Continue to Rise

InformationWeek recently analyzed a Symantec Publication:

“The average cost of a data breach for a U.S. company continues to rise, having reached $7.2 million in 2010.

This represents an increase of 7% from 2009, when the average cost was found to be $6.8 million, according to Symantec which published “2010 Annual Study: U.S. Cost of a Data Breach,” and the Ponemon Institute, which conducted the research.

The cost of losing data has grown for U.S. companies every year since 2006.

Larry Ponemon, founder of the Ponemon Institute, says that there was one unusual finding: A rapid response to a breach, which generally involves notifying everyone potentially affected, turns out to be more costly than a slow response.

Increasingly sophisticated data security threats and compliance pressures are pushing organizations to respond as rapidly as possible to data breaches. This is reflected in the finding that malicious attacks have become the most costly cause of breaches. But responding quickly to a breach may not be called for in every instance.

Quick responders paid $268 per record, an increase of 22% from 2009, while organizations that took more time paid $174 per record, a decrease of 11% from 2009.

Symantec has created an online data breach calculator to help companies assess the potential cost and likelihood of a data breach. Not coincidentally, Symantec sells security solutions, particularly those focused on encryption.

Encryption has become more popular lately because data breach regulations often exempt companies from notification requirements if the lost data was encrypted.

This trend is partially reflected in the survey, which found: an increase in the number of organizations with an “above average IT security posture”; a decrease in breaches due to system failure, lost or stolen devices, and third-party mistakes; and more companies responding faster and putting CISOs in charge of response management.

Negligence remains the most common cause of breach incidents (41%), followed by lost or stolen portable or mobile devices (35%), malicious attacks (31%), and system failure (27%).”

Read the full article here.

 

 

Add these dates to your 2011 ITAD Calendar!

The team at LifeSpan Technology Recycling wishes you a Happy New Year. As you finish up 2010 and look toward 2011, we thought we’d share with you some important dates to have on your ITAD calendar for next year.

Earth Day: April 22^nd
America Recycles Day: November 15^th

These two dates are the perfect opportunity for arranging corporate and community recycling events. This event can be a simple way for employees to safely recycle unwanted IT assets from home or it can be an event designed to raise money for a local charity.. Feel free to contact LifeSpan for information on how to create a successful event anywhere in the US.

Start with a clean slate: January 20^th
Clean out your closets: July 20^th

The beginning and middle of the year is an excellent time to contact the different departments in your organization and encourage them to remove unused IT assets that may be in storage or unused offices. These assets can often be turned into cash and might become a potential data breach if misplaced or stolen.

Trade Shows:

Each year there are any number of trade shows, but we’ve identified three that will help you learn how to maximize your ROI, increase sustainability, and create an efficient ITAD program for your organization. We hope that you will visit us if you attend:

Investment Recovery Seminar & Trade Show (Scottsdale AZ): March 6^th – 9^th
This event “represents an ambitious collection of informative educational sessions specifically directed to those responsible for the professional management of surplus assets and the many suppliers who help make that work possible and more productive.”

For information and registration for the Investment Recovery Seminar click here.

Data Center World (Las Vegas NV): March 27^th – March 31^st

This event is “the leading educational conference for data center professionals.”

For information and registration for Data Center World click here.

International Association of Information Technology Asset Managers (Las Vegas NV): October 12^th – 14^th.

This event is the “ITAM industry’s longest running, 9 years now, and ONLY event solely dedicated to the advancement of IT Asset Management and the establishment of global best practice.”

For information and registration for the IAITAM Conference click here.

For assistance scheduling an event please contact LifeSpan at (888) 720-0900 or at info@lifespanrecycling.com.

Presidential Proclamation & Commitment to Sustainability

This past Monday was America Recycles Day and President Obama released a Proclamation asking American citizens and businesses to “work together to recycle waste and develop innovative ways to manage our resources more sustainably.”

The Federal Government will lead the way with a newly formed task group, as stated in an EPA Press release on Tuesday: “President Obama signed a proclamation celebrating the strides the country has made in recycling generally, while also highlighting the need for greater attention to addressing electronic waste (e-waste). Last week, the Council on Environmental Quality (CEQ), the Environmental Protection Agency (EPA), and the General Services Administration (GSA) formed a task force, under the Executive Order on Federal Sustainability, charged with helping the federal government lead by example in responsibly managing used electronics.”

EPA Administrator Lisa Jackson said, “Used electronics represent the fastest growing segment of local solid waste in our country. Far too many used electronics end up in landfills or are exported to nations where there is little capacity for safe management. Rather than benefitting from the reuse and recycling of valuable components, we see increased exposure to the toxic chemicals and other harmful substances in electronic devices. EPA has made the handling of used electronics and e-waste one of our top priorities, and through this task force the U.S. can become the world leader in sustainable electronics management. There are cost-effective and potentially profitable methods to better manage these materials and prevent health and environmental threats at home and around the world.”

The EPA said reusing or recycling electronics helps the environment by reducing our carbon footprint and conserving resources.

To learn how to develop a more sustainable program for your organization please contact us at: info@lifespanrecycling.com.

America Recycles Day Event at Creighton University

In celebration of America Recycles Day, Lifespan along with Creighton University sponsored an electronics recycling event on the campus at Creighton.  We collected over 12,000 pounds of equipment filling two trucks in four hours.  Please let us know if your community could benefit from a similar event.

This slideshow requires JavaScript.

Third Party Certifications: Best Practices in Electronics Recycling

Many companies have become increasingly concerned with sustainability and environmental stewardship as the “green” movement has swept over corporate America. At the same time, both Federal and State governments have passed comprehensive legislation to both protecting the environment and ensure data privacy. The increasing volume of end-of-life electronics, coupled with the proliferation of product “take-back” programs, have boosted market demand for IT asset disposal services. In response, the number of electronics recyclers has increased dramatically.

However stringent the restrictions, the evening news is still full of horror stories of broken equipment winding up in overseas landfills and sensitive data inadvertently released to the public by careless or unscrupulous recyclers. How then can a consumer achieve peace of mind knowing that a company’s end-of-life electronics are being disposed of in a secure and environmentally responsible manner?

One answer to this problem is insisting on having the electronics recycling vendor be certified by an accredited third party. While these certification programs have variations, they all share the following characteristics:

1. The ability to provide an all-encompassing “seal of approval”
2. An emphasis on Total Quality Management (“TQM”) and/or ISO9001
3. The presences of an Environmental Management System and/or ISO 14001
4. Compliance with Health, Safety, and Security standards
5. Periodic audits by an independent third-party

Firms seeking RIOS certification must undergo a formal, objective examination by an accredited third-party auditor. Participating companies are evaluated on a variety of criteria related to environmental management systems, quality programs, business performance and financial stability, employee health and safety programs, security systems, and overall operations management. The audits are performed by SGS, a company involved in registration to international quality and environmental standards. SGS employs more than 59,000 employees and operates over 1,000 offices and laboratories worldwide.

Another certification specifically focused on electronics recycling best practices and facilitated by the EPA, is R2 – “Responsible Recycling”. Initially started in 2006, R2 has an unmatched open and multi-stakeholder development process. Representatives from the manufacturing sector (Dell/HP), electronics recyclers, asset recovery/ITAD firms, state and federal government agencies, and trade associations (including the Consumer Electronics Association, and International Association of Electronics Recyclers) were all involved in developing the next generation electronics recycling standard.

The R2 standard emphasizes reuse before recycle, prohibition of illegal exports, domestic, implementation of an environmental management system, and the identification and proper management of “focus materials” that pose a potential threat to the environment. R2 is a fully vetted and accredited standard that is audited by registrars that perform ISO auditing services such SGS, and Perry Johnson Registrars.

A final standard worth noting is the AAA Certification that is managed by the National Association for Information Destruction (“NAID”). This standard was developed by NAID specifically for companies that provide computer hard drive destruction and sanitization services. The program’s auditors verify the physical security of sanitization facilities, chain of custody, and audit trail. In addition, a separate independent forensic testing lab verifies the effectiveness of the quality control and overwriting process. To date NAID has certified more than 360 member locations that provide physical destruction of media, but has only recently developed a separate certification program for companies who sanitize computer hard drives.

Dag Adamson, President

LifeSpan Attends IAITAM 2010 Annual Conference

LifeSpan was among the industry experts who participated in this year’s IAITAM  (International Association of IT Asset Managers) 2010 Annual Conference and Exhibition in Nashville, TN October 20^th-22^nd The theme of this year’s conference was ‘Harmonizing Your Industry’ and companies from across the globe gathered to share and learn best practices in IT Asset Management.  Not only was LifeSpan an exhibitor at the conference, but we conducted several educational break-out session tracks.

Kicking off the conference with the first presentation, LifeSpan and Toyota Motor Sales presented a testimonial case study entitled ‘How Technology is Revolutionizing Asset Tracking’.  In it we highlighted how scanning barcodes and digitally capturing detailed asset data at the point of pickup through our EZ-Scan offering provides a fortified chain-of-custody with transparent visibility through the entire ITAD process.  OnePak also gave us a roadmap of how smartphone technologies are making it possible for asset managers to capture asset data and track assets each time an asset’s status or location changes during its lifecycle.

The conference concluded with a session presented by our President to help participants understand the various Electronics Recycling Standards that have emerged.  As continuous scrutiny develops around how IT Asset Disposal is performed, the US government, the electronics recycling industry, and the international community has responded with new and enhanced standards on how electronics should be processed.  Independent third-party certifications, such as R2/RIOS and ISO 14001:2004 are the only way to provide customers with the external assurance that their recycler’s assertions are legitimate.

In all it was a great week and we hope you will join us at next year’s conference in Las Vegas.

For more information on IAITAM visit: http://www.iaitam.org/

 

Vito Armino, Managing Director

 

 

eBay on Location: San Jose

Recently LifeSpan’s Remarketing Team attended eBay on Location in San Jose where they developed new online sales channels for our MAR Program (Microsoft Authorized Refurbisher).

 

Marshall and John