SO/IEC 27040:2015 is one of a growing set of standards set forth by the International Organization for Standardization, an international body working in conjunction with the International Electrotechnical Commission (IEC) to establish security and data processing standards.
The set of standards itself is quite powerful in that it provides comprehensive guidance for the storage and protection of data within processing systems. But what does this mean for the average provider? And are there any caveats to the standards? Most importantly – how does one ensure compliance?
Today, we’re going to discuss these standards, and what they mean for the community as a whole. We’ll highlight some important caveats, and discuss how the standards handle “sanitization”. Most importantly, we’ll differentiate between sanitization and typical delete/erasure processes, and bring to light some inequities of how data is typically handled in the end-of-life cycle.
SO/IEC 27040 Purpose
Broadly speaking, the purpose of the standard is to define security guidelines for storage systems and their respective ecosystems. Many of these standards are quite common, though some have arrived from externally presented issues in recent years. Notable of this type is objectives including the publication of security risks in a system, the common methodology taken to support organization security, and broad guidance on auditing systems.
While there is a great deal of specific regulatory and legislative adoptions of this standard, the standard itself is not, by itself, regulatory or legislative.
Sanitation in the SO/EIC 27040 Standard
While there are a great many specific guidelines for functionality throughout the standard, the one we will concern ourselves with today is those pertinent to data sanitization.
What is Sanitization?
Sanitization is a technical term for making sure that data on a device is securely and completely wiped and/or made inaccessible. This is done largely to protect organizations that engage in repurposing, selling, discarding, or recycling hard disk storage mediums, though it applies to a wide range of situations as a method for securing consumers against fraud and breach of privacy.
Sanitization often takes a specific form given the security required for the data and the situation in which it is being discarded. Personal data, for instance, is subject to more scrutinization and thus more intense data wiping processes, whereas simple data records such as traffic reports and such without personally identifiable information are not required to function under such stringent limitations.
While more secure data management may be required for confidential or governmental data, including the destruction of cryptographic keys or the actual destruction of involved hardware, data is best handled, largely speaking, with simple overwrite techniques.
It should be noted here that sanitization is a sum total process – when we talk about data erasure, that’s only half the picture, as proper data storage is a big part of that. Knowing where data is, that it was collected properly and that it is time for sanitization is a big part of that process, but is for obvious reasons beyond the scope of this piece.
The Problem with Forensic Data
Not all data is created equally, and unfortunately, not all data is created on purpose. When data is erased in modern operating systems, more often than not, it’s not erased in the way we commonly think it is. There’s no easy way to delete data in a fast way that is invisible to the user in most situations – operating systems know this, and to provide a better experience for users, opt for a different methodology.
What most systems basically do is mark data for deletion without actively deleting it. This “frees up” space on the drive to be written over, but doesn’t actually overwrite it in any way. This has the effect of making a system think a drive is deleted while leaving recoverable data on the drive itself. This data is called forensic data.
Obviously, this is a less than optimal solution, as it leaves data in a vulnerable position while telling everyone that it’s been sorted. That’s why, under this standard, overwriting is the chief methodology used to discuss sanitization.
Overwriting data is really simple to do, but it does bear some explanation. Simply put, when data is overwritten, you are literally writing over the section of data with data that roughly equates to “nothing”. At a magnified level, bits on a hard drive platter are either on or off – in computing, this is binary, either 1 or 0. When a disk is overwritten, the section might be a huge combination of 1’s and 0’s, but after being overwritten, are wiped with a pattern or a set number of different values.
When overwriting, we often do multiple passes. Why do we do this, though, if the numbers are just 1’s or 0’s? Hard drives are magnetic, and when we pass over them in such a way, we are magnetically changing their values. Unfortunately, this does have a fail rate, and even magnetically changed values may retain some information relevant to other bits of data that haven’t been changed yet.
Accordingly, we pass this area of data multiple times, thereby ensuring complete erasure and sanitization.
There is, of course, the alternative of physical destruction, in which the device holding data is quite literally destroyed, often in specially made hardware shredders.
While this is a mostly secure solution – it’s hard to read data off a platter in a thousand pieces – it is also extremely expensive. Imagine that every time you wanted to delete a word in a word document, you had to destroy your entire computer – that’s what’s happening with destruction.
Thankfully, destruction is reserved only for the most intense of data destruction needs. As a general rule of thumb, basic sanitization through overwriting with ClaraWipe is more effective than destruction in practical use, and is infinitely more cheap and easy to do.
Though it’s easy to do, it’s also easy to get wrong. For this reason, this standard (and basic common sense) is paired with the suggestion to find a reputable data destruction specialist or program.
Enter ClaraWipe. ClaraWipe is a data erasure program that can securely and completely erase not only your data, but the forensic trail it leaves behind. Properly erasing data can save you from legislative and punitive action, saving you money and time in the long run. ClaraWipe is a proven solution that adheres to, matches, or exceeds the following internationally recognized data wiping standards:
• Sarbanes-Oxley Act (SOx)
• HIPAA & HITECH
• The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
• US Department of Defense 5220.22-M
• CSEC ITSG-06
• Payment Card Industry Data Security Standard (PCI DSS)
• Personal Information Protection and Electronic Documents Act (PIPEDA)
• EU data protection directive of 1995
• Gramm-Leach-Bliley Act (GLBA)
• California Senate Bill 1386
Simply put, investing in proper data sanitization is not a “should do”, but a “must do” – and finding the right solution is a huge part of that. Choosing ClaraWipe ensures that data is not only erased, but truly sanitized – and with how many economic, ethical, and legal constraints surround the data you work with on a daily basis, this is extremely important.