Clean Sweep

The National Association for Information Destruction (NAID), based in Phoenix, has announced the launch of its Certification of Sanitization Operations for companies providing hard drive sanitization services. The association is preparing for the Beta Phase launch of the certification. Companies that registered by the March 14 deadline and successfully complete an audit of their operations by June 30 will be the first to be awarded the certification. Following the Beta Phase, the Certification of Sanitization Operations will be open to other NAID member companies that offer hard drive sanitization services.

NAID has offered its AAA Certification endorsement for hard drive destruction since Jan. 1, 2006. Bob Johnson, executive director of NAID, says the organization started with the hard drive destruction endorsement because it was easy for most members of the organization to understand, adding that members were somewhat "suspicious of sanitization" initially.

"Most of the NAID members who are not involved in electronic destruction said NAID members provide physical destruction and should not be involved in certification of sanitization. People in the [electronic destruction] business had very little objection," he adds.

Physical hard drive destruction could also be easily integrated into most member companies’ operations. "Sanitization posed greater problems," Johnson says.

However, because NAID member companies were offering hard drive sanitization, Johnson says the organization had to entertain such a certification. "We had members doing it, and if we didn’t believe it was thorough, it would be inconsistent with our mission to let people in who did it," he says.

Angie Singer Keating, chair of NAID’s Certification Rules Committee and vice president of compliance and security for IT asset management company Reclamere, Tyrone, Pa., says NAID also realized customer needs were a factor in favor of sanitization.

"In the beginning, the only conceivable way NAID was ever going to do anything around computers was if it was physical destruction," Keating says of the association’s initial reluctance to recognize sanitization as a secure method of information destruction.

However, she says she pointed out that some businesses need the sanitization option because their computer equipment is leased and, therefore, physical destruction of these hard drives is not an option. Hard drive sanitization is also the preferred option for clients that intend to redeploy computers within their organizations, Keating adds.

To study the issue, NAID put together an e-destruction task force and requested position papers for and against sanitization. After reviewing these papers and data from Massachusetts Institute of Technology graduate Simson Garfinkel, Ph.D., the task force came to the conclusion that, when properly administered, sanitization was a secure way to destroy information on hard drives.

"The process is effective if you’ve got certain steps in place," Johnson says of hard drive sanitization.

In developing a sanitization certification, NAID acknowledges that while hard drive destruction is 100 percent effective and sanitization is 99.99 percent effective, if companies follow best practices and adhere to process controls and quality control measures, sanitization can be an effective means of information destruction, Keating says.

"If there is a process, [sanitization] can be done right," she says. "NAID certification is all about process."

Johnson says about 90 percent of NAID’s preexisting certification program was germane to the new sanitization certification, such as requirements for access control, destruction time frame, contracts, yearly announced audits, periodic unannounced audits and employee screenings. The sanitization certification did, however, add computer-related crimes to the employee screening requirements, stipulating that no person subject to a felony conviction in the last seven years could come in contact with confidential client information.

In developing the sanitization certification, NAID’s Certification Rules Committee looked at best practices in the area of hard drive sanitization. Keating says she closely modeled the certification standards on Reclamere’s processes, with input from Kevin Myron of Cascade Asset Management, based in Wisconsin. "These are things we do so that when we say we have sanitized hard drives, we’ve done it to the Department of Defense (DOD) standard," she says. "And not only the standard to sanitize it, but also the standard to do quality control."

This is where NAID’s Certification of Sanitization Operations begins to differentiate itself from the other AAA Certification endorsements. Post-sanitization quality control is critical to then sanitization process because it cannot be visibly verified.

Keating says the quality control aspect can sometimes be overlooked by companies that offer hard drive sanitization.

Quality control for wiped computer hard drives is a form of computer forensics called data recovery, Keating says. "If you don’t have expertise in that area or you’re not willing to spend the money to randomly audit yourself and send hard drives out to experts that can do [data recovery], you are not really doing any type of quality control," she adds.

NAID’s Certification of Sanitization Operations demands that applicants have a quality control program in place. To test the effectiveness of the process, auditors present the applicant with two 80-gigabyte test hard drives with known data on them, Johnson says. These drives, along with two hard drives that are selected at random, will be sent out for forensic testing to see if any data can be recovered by conventional means. The randomly selected hard drives will be returned to the applicant after testing.

During the audit, Johnson says sanitization operations will have to provide auditors with information regarding their process flow. The auditor, who signs a confidentiality agreement before entering the property, will verify that the process is being applied appropriately. Applicants will have to identify key points within their operations that act as audit points using a Sanitization Process Questionnaire. These areas will include staging, acceptance and identification of items prior to processing, sanitization process stages, identification and separation of sanitized hard drives following processing and record keeping throughout the process.

Another component of the certification that is unique to sanitization operations regards the transportation of hard drives from clients’ facilities to the applicant. According to the standard, if a NAID-certified sanitization provider uses subcontracted transportation, it must disclose that information to its customers. Keating says this measure is a crucial component of the certification and "sets the bar very high."

The Certification of Sanitization Operations allows applicants’ customers to set up their own transportation. In this case, the sanitizer does not officially take possession of those hard drives until they are delivered to its facility.

According to the certification requirements, if a transportation subcontractor is used, the customer and the sanitizer must receive documentation of the shipment that indicates the type and quantity of the media.

Keating says companies that pursue the Certification of Sanitization Operations will also have to have the endorsement for hard drive destruction. "The process for hard drives that fail to wipe—and that will happen—is that they have to be physically destroyed," she says. "You cannot say, ‘Our sanitization is to the NAID standard, but our physical destruction isn’t.’ It’s almost like a two-step process." Keating adds that companies pursuing the Certification of Sanitization Operations will already have to have the physical destruction endorsement or will need to work on obtaining both certifications concurrently.

"We have 65 NAID member locations that are certified for hard drive destruction," Johnson says, adding that 344 of the association’s member companies are AAA Certified in total. He says he expects six to 12 NAID member companies to participate in the Beta Phase of the Certification of Sanitization Operations.

As an executive with a company that will participate in the Beta Phase of the Certification of Sanitization Operations, Keating says, "This industry is changing and growing all the time. If you are not willing to stay up to date on the latest practices, the latest processes and what can be reconstructed, you can lose credibility very fast." She adds, "NAID has gotten the credibility that it has because it is flexible and not biased. They realize this is the right thing to do for the industry."

The author is editor of Secure Destruction Business magazine and can be contacted at dtoto@gie.net.