IT Security Outsourced IT

Data Destruction: Erasure

What is Data Erasure?

Destroying data is a critical task. The IRS Publication 1075 offers guidelines for federal, state, and local agencies that require agencies sanitize information system media prior to disposal or release for reuse.1 Media sanitization protects the confidentiality of sensitive information by preventing unauthorized individuals from reconstructing data and gaining access to sensitive data from media that has not been properly sanitized. Clearing information refers to a level of media sanitation that would protect the confidentiality of information against a robust keyboard attack. Methods of non-physical data clearing include:

Overwriting/wiping. Overwriting, also referred to as data wiping, involves writing new data on top of old data. This process erases old material, rendering anything left unreadable. When data is overwritten, a pattern of 1s and 0s is written over the original information. Either a random pattern is used, or a set pattern is used that allows for verification that the drive was properly wiped. Overwriting data once is usually sufficient, but multiple wipes may be required to ensure the erasure of extraordinarily sensitive information. Considerations for this method include:

  • Takes a long time
  • Data from inaccessible regions may not be sanitized
  • May require a separate license for every hard drive
  • Only works when the storage media is undamaged and is still writeable

Degaussing. Degaussing destroys computer data using a high-powered magnet that eliminates an electronic medium’s magnetism, destroying data in the process. Degaussing is a quick and effective method for destroying a large amount of information or sensitive data. When applied to magnetic storage media such as hard disks, magnetic tape, or floppy disks, degaussing can quickly and effectively purge an entire storage medium. While degaussing can be an effective method of data destruction, it has disadvantages including:

  • Rendering the hard drive inoperable
  • There is no way to ensure all data is destroyed
  • Effectiveness of degaussing can depend on the density of drives
  • Does not eradicate data from non-magnetic media such as Solid State Devices and CDs

The IRS guidelines require that the sanitation and disposal processes are verified to ensure media was properly sanitized. As required by Publication 1075, Section 2.F.3, every third piece of physical electronic media should be checked to ensure appropriate destruction of federal tax information. If sanitization tools (e.g., a degausser) are used, the agency must calibrate and test the equipment periodically, as another form of verification. The agency should perform regular scheduled maintenance on sanitization tools as required. Finally, records should be kept detailing:

  • What media was sanitized
  • When the media was sanitized
  • Amount of media sanitized
  • How they were sanitized
  • Whether verification was performed
  • The final disposition of the media

1 IRS, 2023, “Media Sanitation Guidelines”