NSA Compliant Data Destruction
The National Security Agency (NSA) and Central Security Services (CSS) has put together a manual entitled NSA/CSS Storage Device Sanitization Manual 9-12 detailing the proper methodology and equipment required for NSA compliant hard drive destruction. In addition, the NSA/CSS Policy 6-22 “Handling of NSA/CSS Information Storage Media” assigns responsibilities for the secure handling of all NSA/CSS information media storage These policies and manuals detail the acceptable equipment and methodology for hard drive destruction.
Compliance begins prior to erasing, degaussing and shredding.
Record Hard Drive Inventory
Record the serial number of each hard drive to be destroyed. Best practices, as well as NIST 800-88, require linking the hard drive to the originating machine and user. A Certificate of Destruction with a list of serial numbers does not tell the whole story. Where the drive came from and what information was stored on the drive is the true
Secure Drives in a locked Storage Container
Once removed from machines, hard drives must be protected from access by unauthorized employees and visitors. Storing 100’s of drives in the company’s warehouse, unused office or a hired electronic recycling facility leads to pilfering and unauthorized access. By definition, this is a data breach.
Physically Destroy Hard Drives and Digital Media
Degauss and destroy. More specifically, degauss with a machine on the NSA Degausser Evaluated List. Cheaper and less powerful degaussing machines do not have enough magnetic force to penetrate heavily shielded server drives.
The destruction of the hard drive consists of “physically damaging by deforming the internal platters…” The NSA/CSS Policy Manual 9-12 “Storage Device Sanitization and Destruction Manual” does not require shredding the drive to a certain siz