Data Security

Cornerstone Technologies utilizes state of the art equipment for their data destruction and eradication services. When an individual or company makes the decision to upgrade their computer network, the older equipment is often restructured to work in another area of the business, sold on the secondary PC market, donated to charity or otherwise destroyed. In any of these scenarios, it is of the utmost importance that the existing data residing on the hard drives of the computers are effectively erased (sanitized).

Data sanitation is the process of deliberately, permanently, irreversibly removing or destroying the data stored on a memory device. A device that has been sanitized has no usable residual data. Sanitation processes include using a software utility that completely erases the data, a separate hardware device that connects to the device being sanitized and erases the data, and/or a mechanism that physically destroys the device so its data cannot be recovered.

Here is a quick video showing you the destruction process:

Cornerstone Technologies shall sanitize, purge, or destroy data on hard drives and other data storage devices ONSITE: to include but not exclude: (Digital copier, printer memory, cd rom, hard drives, data devices in cell phones, video tape, DVDs, and memory sticks.in compliance with (the National Institute of Standards and Technology’s (NIST) Guidelines for Media – Special Publication 800-88 lists categories of devices which need sanitation consideration), unless otherwise requested in writing by the customer. Cornerstone Technologies shall adhere to the data sanitation, purging, or destruction practices described in the NIST Guidelines for Media Sanitation: Special Publication 800-88(Rev.1). Cornerstone Technologies  shall ensure electronically-•‐stored information is being handled in accordance with all national and state/provincial laws governing data destruction that apply to its operation.

Cornerstone Technologies shall remain diligent and knowledgeable with national, as well as state/provincial laws that govern data management and destruction, which in some cases can have stronger data management requirements than the national regulations.

Cornerstone Technologies shall manage personal information in accordance with national regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm Leach Bliley Act (GLBA), and the Identity Theft Penalty Enhancement Act (ITPE) which create safeguards to protect private information.

Cornerstone Technologies has designated fenced in secure areas within ALL of our facilities to store and facilitate the data destruction process. These secure areas are under constant audio and video surveillance and locked when not occupied by the approved/authorized staff. Personal Protective Equipment (PPE) is not required while operating the degaussing and hard drive erasure machines.

Acceptable practices for the destruction of data depend on the type of media, the sensitivity of data, customer requirements, and the methods used. Cornerstone Technologies not only removes the circuit board from all hard drives determined to be tested, non-working/failed are then destroyed through the use of our PD-4 Hard Drive Destroyer which impales the platters per NIST Special Publication 800 – 88 specifies acceptable methods for data destruction by media type and classification (sensitivity).  As new technologies emerge, generally accepted and published industry techniques may be acceptable through the validation process in 8(d).

If Cornerstone Technologies receives electronic data storage devices that are supposed to already be sanitized, Cornerstone Technologies shall be provided documentation by the vendor/customer of data destruction prior to the receipt of the media storage devices. Cornerstone Technologies shall run all received hard drives through the Tabernus Enterprise Erase LAN 7.3 Program to ensure that all data has been sanitized according to the identified specifications. Cornerstone Technologies shall also conduct periodic testing of previously sanitized devices to ensure data destruction has been performed. All activities involved in destruction shall be clearly described and conveyed to employees. All information pertaining to data destruction procedures shall be documented. Documentation shall include material handling, labeling, processing, storage, physical security, and validation of results. In addition, ALL hard drive degaussing equipment may require equipment calibration and maintenance to ensure effectiveness. Evidence must be generated and maintained to show conformity to the data destruction procedures and effective processing.

Reviews shall specifically include competency evaluations of employees, attempts at data recovery from sanitized devices, verification of calibration schedules, and verification of data sanitation records.

Cornerstone Technologies shall produce certificates, or evidence of regular review of data destruction procedures and validation of data destruction methods. For example, disk wiping methods may be validated using commercial software for data recovery to demonstrate no recoverable data on the wiped media. Forensic analysis or any other more rigorous data recovery method would only be necessary if the sensitivity of the data on the media warrants it in line with the NIST 800 – 88 guidelines. Additionally, physically destroyed media would not require data recovery attempts if the composition and/or size of the destroyed material is consistent with the NIST 800 – 88 specific guidelines.  For example, shredded optical disks must meet a specific particle size. If the recycler’s process does not correspond to the minimum size or form requirements of the NIST 800 – 88 guidelines, then forensic analysis would be needed to confirm the inability to recover data from the media.

Hard drives and/or other media storage devices are removed from all equipment. The hard drives and/or other media storage devices are then sorted and staged in the designated secure area with limited access until ready to be degaussed or erased. Hard drives with a minimum storage capacity of 40G or greater are sorted for secure hard drive erasure and reused in refurbished computers, laptops, servers for resale.

Cornerstone Technologies shall document its data destruction procedures and include this documentation as part of its QEHSMS.

Employees involved in data destruction shall receive appropriate training on a regular basis and be evaluated for competency in data destruction processing.

Data destruction processes shall be reviewed and validated by an independent party on a periodic basis as defined in the documentation called for in subsection (a) above.

Quality controls shall be documented, implemented, and monitored internally to ensure effectiveness of data sanitation, purging, and destruction techniques.

Security controls that are appropriate to the most sensitive classification of media accepted at the facility shall be documented, implemented and maintained.  Security controls shall consider physical security, monitoring, chain-of-custody, and personnel qualifications.

Adequate records of data destruction shall be maintained.

Cornerstone Technologies will ensure that all data destruction is facilitated and documented prior to any media storage devices being shipped to another downstream vendor:

The data destruction industry adheres to two specific sets of standards –  D.O.D 5220.22-M and NIST publication 800-88. Both of which Cornerstone Technologies utilizes for our minimum  requirements for our data destruction policy.

5220.22-M:

The Department of Defense Standard 5220.22-M, Section 5, Subsection 8.5.3 states that to effectively overwrite the data on record-able media, each section of the disk must be overwritten three times, or what’s known as three passes. On the first pass, the data in each sector is replaced with a character. On the second pass, the character is replaced with its complement. And, on the third and final pass, the sector is filled with a random character. In addition, items which have been cleared must remain at the original level of classification and in a secure, controlled environment.  It is important to note that

5220.22-M DOES NOT recommend the three pass system for sanitation of “top-secret’ information. In this instance or upon the customer/vendor’s request, Cornerstone Technologies uses physical destruction methods to permanently destroy the media and/or data.

For disks sanitation to fall under the D.O.D standards, the information on the disk must be removed through a two-step process in which the three pass procedure is completed first, and then followed by the physical destruction.