Data Security

Cornerstone Technologies utilizes state of the art equipment for their data destruction and eradication services. When an individual or company makes the decision to upgrade their technology infrastructure, the surplus and/or end of life equipment is often sent to a electronics recycling company to responsibly manage the recycling of the hardware and erasure of the data contained on hard drives. In any of these scenarios, it is of the utmost importance that the existing data residing on the hard drives of the computers are effectively erased (sanitized) and/or destroyed.

What is data sanitation?

Data sanitation is the process of deliberately, permanently, irreversibly removing or destroying the data stored on a memory device. A device that has been sanitized has no usable residual data. Sanitation processes include using a software utility that completely erases the data, a separate hardware device that connects to the device being sanitized and erases the data, and/or a mechanism that physically destroys the device so its data cannot be recovered.

What is hard drive sorting?

Cornerstone Technologies shall sanitize, purge, or destroy data on hard drives and other data storage devices ONSITE: to include but not exclude: (Solid State Hard Drives, cell phones, video tape, flash drives, zip cassette, CD-rom, magnetic disk, tape disk, computer memory, memory cards, magnetic strip, tape drives, DVDs, in compliance with (the National Institute of Standards and Technology’s (NIST) Guidelines for Media – Special Publication 800-88 lists categories of devices which need sanitation consideration), unless otherwise requested in writing by the customer. Cornerstone Technologies shall adhere to the data sanitation, purging, or destruction practices described in the NIST Guidelines for Media Sanitation: Special Publication 800-88(Rev.1). Cornerstone Technologies  shall ensure electronically-•‐stored information is being handled in accordance with all national and state/provincial laws governing data destruction that apply to its operation.

How does Cornerstone Technologies protect privacy?

Cornerstone Technologies shall remain diligent and knowledgeable with national, as well as state/provincial laws that govern data management and destruction, which in some cases can have stronger data management requirements than the national regulations.

Cornerstone Technologies shall manage personal information in accordance with national regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm Leach Bliley Act (GLBA), and the Identity Theft Penalty Enhancement Act (ITPE) which create safeguards to protect private information.

Cornerstone Technologies has designated controlled access fenced in secure area within our facility that is under 24 -hour audio and video surveillance. Only fully background checked vetted personnel are allowed inside this caged in area. This caged in area is used for all testing and refurbishment of devices and storage of all hard drives before and after the data destruction process.  Personal Protective Equipment (PPE) is not required while operating the degaussing and hard drive erasure machines.

How does Cornerstone Technologies destroy data?

Acceptable practices for the destruction of data depend on the type of media, the sensitivity of data, customer requirements, and the methods used. Once the hard drive is sanitized and the digital report is generated, it is stored for future use and/or sale.  All hard drives that fail the sanitation process have their circuit board removed and  then destroyed through the use of our PD-4 Hard Drive Destroyer which impales the platters per NIST Special Publication 800 – 88 specifies acceptable methods for data destruction by media type and classification (sensitivity).  As new technologies emerge, generally accepted and published industry techniques may be acceptable through the validation process in 8(d).

    1. Hard drives are tested and wiped using Active Kill Disk Enterprise Edition Data Wiping Software.
  1. This method is used by the Department of Defense, # 5220-22.M and meets the requirements of NIST 800-88 guidelines.
  2. The method is a three-pass wipe using random characters, complements of characters, and random data streams

Using Active@ KIllDisk within Active@ BootDisk

Once you have entered Active@ BootDisk environment, at the bottom left corner near the Start Menu, you will notice red Active@ icon. Click on it which will launch KillDisk.

Once you are in the Active@ KillDisk application, choose the particular drives that you wish to delete permanently.

After selecting the drives that we want to delete we press on the Kill icon in the upper part of the screen, this will open another window asking us to choose which method we want to use for deletion or overwriting. In our case, we will go for US DoD 5220.22-M with three passes. In real world scenario, three passes are enough to delete data for good, but if you wish, you can use other methods and algorithms with a higher number of passes. Active@ KIllDisk also offers you the option of turning off your PC once the deletion has been completed. As you will see down the road, this is the option you probably want to check on, especially if you are deleting HDDs.

To avoid any mistakes, the user must manually input ERASE-ALL-DATA into the confirmation. box.. Press OK

The deletion on both drives will commence simultaneously, but since we are comparing two drives with different technologies and capacities expecting both of them to finish at the same time would be considered highly optimistic. As soon as one drive finishes with deletion, Active@ KillDisk will create a PDF certificate stating successful sanitizing status.

    1. Make sure the system is powered off
    2. Make sure the jumper on the hard drive is set properly.
    3. Connect the hard drive to the system.
  1. After Activ Kill Disk finishes, check to see what message is displayed on the screen.
  2. Power off the system.
  • Disconnect hard drive.
  1. Label good hard drives as wiped
  2. Label bad hard drives
  3. Place good loose hard drives in wiped hard drive storage unit according to size.
  • If in a unit, remove hard drive from unit and place bad hard drives in a metal bin labeled “hard drives for recycling.”

All activities involved in destruction shall be clearly described and conveyed to employees. All information pertaining to data destruction procedures shall be documented. Documentation shall include material handling, labeling, processing, storage, physical security, and validation of results.

Reviews shall specifically include competency evaluations of employees, attempts at data recovery from sanitized devices, verification of calibration schedules, and verification of data sanitation records.

How do I know my data was actually destroyed?

Cornerstone Technologies shall produce certificates, or evidence of regular review of data destruction procedures and validation of data destruction methods. For example, disk wiping methods may be validated using commercial software for data recovery to demonstrate no recoverable data on the wiped media. Forensic analysis or any other more rigorous data recovery method would only be necessary if the sensitivity of the data on the media warrants it in line with the NIST 800 – 88 guidelines. Additionally, physically destroyed media would not require data recovery attempts if the composition and/or size of the destroyed material is consistent with the NIST 800 – 88 specific guidelines.  For example, shredded optical disks must meet a specific particle size. If the recycler’s process does not correspond to the minimum size or form requirements of the NIST 800 – 88 guidelines, then forensic analysis would be needed to confirm the inability to recover data from the media.

Hard drives and/or other media storage devices are removed from all equipment. The hard drives and/or other media storage devices are then sorted and staged in the designated secure area with limited access until ready to be degaussed or erased. Hard drives with a minimum storage capacity of 40G or greater are sorted for secure hard drive erasure and reused in refurbished computers, laptops, servers for resale.

Cornerstone Technologies shall document its data destruction procedures and include this documentation as part of its QEHSMS.

Employees involved in data destruction shall receive appropriate training on a regular basis and be evaluated for competency in data destruction processing.

Data destruction processes shall be reviewed and validated by an independent party on a periodic basis as defined in the documentation called for in subsection (a) above.

Quality controls shall be documented, implemented, and monitored internally to ensure effectiveness of data sanitation, purging, and destruction techniques.

Security controls that are appropriate to the most sensitive classification of media accepted at the facility shall be documented, implemented and maintained.  Security controls shall consider physical security, monitoring, chain-of-custody, and personnel qualifications.

Adequate records of data destruction shall be maintained.

What if my storage device is re-used elsewhere?

Cornerstone Technologies will ensure that all data destruction is facilitated and documented prior to any media storage devices being shipped to another downstream vendor:

The data destruction industry adheres to two specific sets of standards –  D.O.D 5220.22-M and NIST publication 800-88. Both of which Cornerstone Technologies utilizes for our minimum  requirements for our data destruction policy.

5220.22-M:

The Department of Defense Standard 5220.22-M, Section 5, Subsection 8.5.3 states that to effectively overwrite the data on record-able media, each section of the disk must be overwritten three times, or what’s known as three passes. On the first pass, the data in each sector is replaced with a character. On the second pass, the character is replaced with its complement. And, on the third and final pass, the sector is filled with a random character. In addition, items which have been cleared must remain at the original level of classification and in a secure, controlled environment.  It is important to note that

5220.22-M DOES NOT recommend the three pass system for sanitation of “top-secret’ information. In this instance or upon the customer/vendor’s request, Cornerstone Technologies uses physical destruction methods to permanently destroy the media and/or data.

For disks sanitation to fall under the D.O.D standards, the information on the disk must be removed through a two-step process in which the three pass procedure is completed first, and then followed by the physical destruction.