DATA-16

Does the process described in DATA-15 adhere to DoD 5220.22-M and/or NIST SP 800-88 standards?

Explanation

This question is asking whether your data sanitization process (previously described in DATA-15) follows specific government and industry standards for secure data destruction. DoD 5220.22-M is a Department of Defense standard that specifies methods for overwriting data on magnetic media to prevent recovery. It traditionally involved multiple passes of overwriting with specific patterns. NIST SP 800-88 ("Guidelines for Media Sanitization") is a more modern standard from the National Institute of Standards and Technology that provides comprehensive guidance on sanitizing various types of media, including hard drives, SSDs, mobile devices, and more. It defines three levels of sanitization: Clear, Purge, and Destroy. This question is being asked in a security assessment because proper data destruction is critical to prevent unauthorized access to sensitive information after media is decommissioned, repurposed, or disposed of. Improper data destruction can lead to data breaches even after you believe the data is gone. To best answer this question, you should: 1. Confirm whether your sanitization processes explicitly follow either or both standards 2. Specify which methods from these standards you implement 3. Mention any third-party tools or services you use that are certified for these standards 4. If you don't follow these specific standards, explain what alternative methods you use

Example Responses

Example Response 1

Yes, our data sanitization process adheres to NIST SP 800-88 standards For magnetic hard drives, we implement the Purge technique using software that performs a 3-pass overwrite followed by verification For solid-state drives and flash media, we use the manufacturer's secure erase commands when available, or cryptographic erasure by destroying the encryption keys For physical destruction, we contract with a NAID AAA-certified vendor who provides certificates of destruction All sanitization activities are logged and documented according to NIST SP 800-88 Appendix G, with records maintained for 7 years.

Example Response 2

Yes, our data sanitization process follows both DoD 5220.22-M and NIST SP 800-88 standards For magnetic media, we use DoD 5220.22-M compliant software that performs the standard 3-pass overwrite For all other media types, we follow NIST SP 800-88 Rev.1 guidelines, implementing the appropriate Clear, Purge, or Destroy methods based on media type and data sensitivity classification Our IT security team is trained on these standards, and we maintain detailed sanitization logs that include the standard followed, method used, date, operator, and verification results We also conduct quarterly audits of our sanitization processes to ensure continued compliance.

Example Response 3

No, our current data sanitization process does not fully adhere to DoD 5220.22-M or NIST SP 800-88 standards We currently use a single-pass overwrite for magnetic media and rely on standard deletion for solid-state drives We recognize this is a gap in our security controls and have initiated a project to implement NIST SP 800-88 compliant processes across all media types We have purchased compliant sanitization software and are developing formal procedures that will be implemented within the next 90 days In the interim, we mitigate risk by storing all decommissioned media in a secure location with restricted access until proper sanitization can be performed.

Context

Tab: Product
Category: Data