Article

Refurbish Digital Devices: Data Standards/Laws

Refurbishing Computers

 

Standards and Legislation Related to Digital Data Management

 

 

STANDARD(S) FOR DATA REMOVAL

 

The military and intelligence agencies have high standards for security of information and the destruction of data on computers removed from service. The U.S. Department of Defense (DOD) standard has influenced the development of software tools for data destruction, and is frequently referenced by those software vendors who meet this standard.

U.S. Department of Defense Standard - 5220 22-M Standard1 8-301 Clearing and Sanitation. Instruction on clearing, sanitization and release of IS media shall be issued by the accrediting CSA (Cognizant Security Agency.) Clearing. Clearing is the process of eradicating the data on media before reusing the media in an environment that provides an acceptable level of protection for the data that was on the media before clearing. All internal memory, buffer, or other reusable memory shall be cleared to effectively deny access to previously stored information. Sanitization. Sanitization is the process of removing data from media before reusing the media in an environment that does not provide an acceptable level of protection for the data that was in the media before sanitizing. IS resources shall be sanitized before they are released from classified information controls or released for use at a lower classification level.

 

Under the DOD standard, data may be cleared by writing any bit pattern to the entire disk once. Disks are sanitized by writing a different bit pattern to the disk on each of three passes. Some software solutions use three passes to clear and seven passes to sanitize. Disks containing top secret data are not permitted to be sanitized in this manner; they must be physically destroyed, or the disks subjected to degaussing, scrambling completely the magnetic patterns used to store data on the disk, rendering the disk itself inoperable. Each branch of the U.S. Armed Forces has regulations indicating how to implement this standard.

 

Consumer and Individual Data Security Legislation

 

The following are not standards for data removal, but a list of some of the key laws affecting the handling of digital data, especially confidential and secure information, in America. Compliance with these laws would require the use of proper data destruction techniques when taking a computer out of service, or when refurbishing for re-use.

Computer Copyright Act of 1980

Although computer programs had been granted copyright protection for many years, this act recognized the intellectual property rights of the owner of computer programs in all forms and classifications, from those that perform particular tasks to those that control the operations of the computers. Copyright protection also covers video games and creative audiovisual displays. This means that it is illegal to copy software for any purpose other than backup and recovery unless the copying and use is specifically permitted by the licensing agreement.

Federal Information Security Management Act of 2002 This law seeks to improve computer and network security used by federal agencies and federal contractors. It requires yearly audits. Gramm-Leach-Bliley Act (GLBA) GLBA requires financial institutions (banks, insurance companies and other companies that receive financial information) to safeguard the collection and disclosure of customers' personal financial information. Health Insurance Portability and Accountability Act (HIPAA)

This federal law addresses the security and privacy of health data. It requires patient consent for the release of medical records.

Identity Theft and Assumption Deterrence Act

This law makes it a Federal crime to take and use, or aid or abet the taking and use of, personal information of another individual for any purpose that is illegal under federal, state or local law.

Patriot Act

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, known as USA PATRIOT Act or simply the Patriot Act, allows law enforcement agencies increased access to telephone calls, e-mail messages, medical records, financial information and other records of private citizens not charged with any crime.

Sarbanes-Oxley Act of 2002

Sarbanes-Oxley is a comprehensive set of requirements for full financial disclosure in the securities industry to provide additional protection to investors. Two provisions of the Act apply to nonprofit organizations -- the records retention requirements (see the Financial Management and Accounting module) and the employee protection (whistleblower) provisions.

 

__________ 1National Industrial Security Program Manual, "Information System Security, Clearing and Sanitation." Retrieved June 11, 2008, from http://www.dtic.mil/whs/directives/corres/pdf/522022mfront.pdf

 

INTERNET LINK WARNING

Please note that by selecting an Internet link you will be directed to an external site, and the Pass It on Center does not control the content of the site.

 

DISCLAIMER

This work is supported under a five-year cooperative agreement # H235V060016 awarded by the U.S. Department of Education, Office of Special Education and Rehabilitative Services, and is administered by the Pass It On Center of the Georgia Department of Labor – Tools for Life.  However, the contents of this publication do not necessarily represent the policy or opinions of the Department of Education, or the Georgia Department of Labor, and you should not assume endorsements of this document by the Federal government or the Georgia Department of Labor.

 

 

 

 

 

Attachments

Other Information

Title: Refurbish Digital Devices: Data Standards/Laws
Module: Program Operations
Author: Trish Redmon
Audience: Administrator
Sub Title:
Procedure:
Organization Source: Pass It On Center
Last Reviewed: 10-25-2009 5:42 PM