INDEPENDENT AUDITING AND CREDIBILITY

When choosing a data destruction specialist, you want to pick a credible vendor that can meet your internal policies and needs. When it comes to independent validation, there are really three third-party designations to consider: certifications, memberships, and compliances. In this entry, we are going to break down all the bits and bytes about these designations and point out dubious claims in the data sanitization space so you can make a more informed decision about your vendor of choice.

Certifications

Attaining certification for any product is a lengthy, intensive process involving serious in-house documentation, third-party investigation, coordination efforts, time, and money consumed. For these reasons, certifications are often viewed as the strongest form of credibility a company can attain for its product. However, it’s worth looking into the type of certification and the quality of the standards used for the certification before deciding whether or not a certification actually confers credibility.

NIAP Certifications— Case Study

Consider the NIAP EAL 4+ certification boasted by some of our competitors. The NIAP is the National Information Assurance Partnership responsible for implementing the international Common Criteria standards for Information Technology Evaluation [http://www.commoncriteriaportal.org/]. On paper, this sounds like it would be a great certification to prove the security of a company’s data sanitization algorithm. Let’s dig a little deeper to show why this is a spurious claim.

First of all, as of 2012, the NIAP no longer uses Evaluation Assurance Levels (EALs) because they were too generic of standards for specific technologies. Instead, the NIAP began putting out specific technology standards, such as encryption, firewalls, email security, and more generally— application design. At the time of this writing, you won’t find a standard certification process for data sanitization through NIAP. Instead, a sanitization company that gets NIAP certified is really saying that their application, itself, is designed without security holes. To summarize, the NIAP EAL certifications no longer exist. They and their successors primarily address secure application design.

This is very different from the independent assurance that your data sanitization algorithm adheres to best practices and, in fact, sanitizes data effectively. Of course, it doesn’t hurt to certify that your source code was written in the most secure method. But more importantly, don’t let companies confuse you by marketing irrelevant certifications for the task at hand.

Other Data Sanitization Certifications

There are currently few true data sanitization certifying bodies in the U.S. While companies in the industry may register as independent validators for each other, the lack of an overarching regulating body like NIAP for sanitization makes U.S. certification unusual. There are some international certification bodies including the Communications-Electronics Security Group (CESG), the UK Government’s National Technical Authority for Information Assurance, Federal Service for Technical and Export Control (FSTEC) of Russia, and the German Information Security Agency (GISA).

Compliances

While there are few actual certifying bodies, there are plenty of suggested standards for data sanitization that quality organizations follow. Compliance is basically a standard created and released for companies to use as a measuring stick.

The primary two standards are DoD 5220.22-m and NIST 800-88. DoD 5220.22-m was originally written in 1993 but has evolved since. While DoD 5220.22-m helped introduce federal standards for sanitization security, the standard long perpetuated the “three-pass” protocol. The idea underlying 3-passes is that HDDs will only be irrecoverably purged after three separate passes of overwriting. This may have held at the time of writing when sanitization, especially of magnetic media, was less well researched. Over time, the three-pass rule has haunted the industry, especially in government agencies where mitigating any risk is the ultimate priority.

The newer and more widely accepted compliance standard is NIST 800-88. This standard is more general and is meant as a decision tool for organizations planning data security as well as sanitization experts. NIST 800-88 suggests that one pass is usually enough for guaranteed data sanitization.

There are a handful of other data security standards that vary per industry. Again, more compliances are better and show that a company is invested in security. Yet it is always important to judge the exact compliance for actual adherence and relevance.

Membership

Memberships are in between certifications and compliance. Membership signifies a dedication to the industry community, adherence to best practices, and that a company is serious enough to invest in its sanitization solution. For instance, membership in the National Association for Information Destruction requires sanitization companies to enforce strict video monitoring, a secure facility with a temperature-controlled environment, and serious employee restrictions (sign a confidentiality agreement, pass a drug screening, get third party background checks, etc.). Membership of NAID and other relevant partners is a great way to increase the credibility of a data sanitization specialist.

Clarabyte Adherences

With this discussion in mind, here are some of the technical standards and memberships met by Clarabyte.

• NIST 800-88

• US Department of Defense 5220.22-M

• NAID Member

• Microsoft Authorized Refurbisher

• Ifixit Pro Member

• Sarbanes-Oxley Act (SOx)

• HIPAA & HITECH

• The Fair and Accurate Credit Transactions Act of 2003 (FACTA)

• CSEC ITSG-06

• Payment Card Industry Data Security Standard (PCI DSS)

• Personal Information Protection and Electronic Documents Act (PIPEDA)

• EU data protection directive of 1995

• Gramm-Leach-Bliley Act (GLBA)

• California Senate Bill 1386

The Clarabyte Advantage

Overall, while general adherence to certifications, compliances, and memberships is great, what’s even more important is the ability of a company to offer varied services and special programs that match your internal data policies and needs. Be it:

• Detailed data destruction certificates

• Remote sanitization and e-tracking

• Ability to scale from one to multiple wipes or any methods to meet your policies

• Secure, video-monitored facilities

• Other custom services

The real Clarabyte advantage is the ability to offer the data sanitization service that best meets your needs.