NIST 800-88 Hard Drive Destruction

The National Institute of Standards and Technology (NIST) has developed Guidelines for Media Sanitization.  The NIST 800-88 publication is intended to assist organizations and IT system managers in making practical data destruction decisions based on the relative categorization and confidentiality of their information or data.

According to NIST 800-88, shredding hard drives is the most secure and compliant form of data destruction. NIST 800-88 compliant hard drive destruction process.    National Security Agency (NSA) contractors should refer to the stricter NSA/CSS hard drive destruction requirements.

E-Waste Security provides NIST 800-88 compliant destruction services nationwide from Washington, D.C. and New York to Los Angeles and San Francisco.

NIST 800-88 Data Destruction Decision

 A recent survey on hard drive disposal best practice conducted by The ITAM Review shows that Information Security is overwhelmingly the strongest consideration when disposing of IT equipment.  Accordingly, CIOs want to know what NIST 800-88 regards as the most secure process for destroying hard drives and SSDs during the data destruction process.

The following flowchart summarizes the NIST 800-88 Sanitization and Disposition Decision Flow.

The bottom portion of the digital data destruction flowchart show details what processes should be followed for information classified as high security. 

Customer, employee, financial and health records are considered “High” security information

NIST Sanitization Decision Flow Chart

NIST for Small and Medium Sized Businesses

NIST now offers cybersecurity and data destruction guidance to small and medium-sized businesses (SMBs).  Cybersecurity guidance from NIST couldn’t come sooner for SMBs as they are increasing becoming targets for hackers.   

The Small Business Cybersecurity Act required NIST to offer SMBs resources to measure their current security protections against best practices. NIST data security guidance includes simplified cybersecurity framework, risk assessments and third-party breach education.

Read more on “How Does the NIST Small Business Security Act Affect Your SMB?” in Security Magazine.

NIST 800-88 Required Documentation

 NIST 800-88 describes three methods for sanitizing hard disk drives, 1) erasing, 2) degaussing and 3) shredding.  NIST 800-88 considers physically shredding hard drives the most secure form of data destruction and should be used for all levels of confidential information. The decision to erase or physically destroy hard drives should be based on your organization’s policies and procedures governing data security and destruction. Many business and organizations are now required to have a written Identity Theft Prevention Program per the Federal Trade Commission’s Red Flags Rule. Conforming to NIST 800-88 guidelines requires proper documentation of data destruction or more commonly known as a Certificate of Destruction.  NIST 800-88 documentation requirements.