S 2.167 Selecting suitable methods for deleting or destroying data

Initiation responsibility: IT Security Officer, Head of IT, Head of Organisation

Implementation responsibility: Head of Organisation, Head of IT, IT Security Officer

In order to ensure the confidentiality of information requiring protection, the information must be destroyed or deleted after use in such a way that the reconstruction of the information can be ruled out with high probability.

For the secure deletion or destruction of the information, there must be suitable methods available on the one hand, as well as suitable devices, applications, or services on the other hand.

There are various methods available to delete or destroy the information on data media. A brief overview can be found in S 2.433 Overview of the methods for deleting and destroying data. The BSI Technical Guideline "Guidelines for the deletion and destruction of information requiring protection on data media" (BSI-TL 03420) provides recommendations for the data media commonly used today. The most important recommendations are presented briefly below.

Recommendations for deleting data media

Deleting data from data media using the simple delete commands available in the respective operating systems or formatting the data media is not adequate to securely delete the data stored on the corresponding data media. For this reason, physical procedures such as treating the corresponding data media mechanically, thermally, or magnetically or overwriting the data media specifically one or more times should be selected as methods for secure deletion. For overwriting, the use of random data patterns is recommended. For data media to be reused in the same protected area, the time and expense required for deletion are lower than for data media that will leave their area of application and will be sold, for example. The following provides an overview of the methods available for deleting the most commonly used data media:

• Paper documents:
  
  No reliable method available.
• Microfilm, microfiche:
  
  No reliable method available.
• Hard disks (with magnetic data medium), magnetic tape cassettes, diskettes:
  
  Overwriting the entire data medium with a random numerical pattern and verification.
• hard disks with semiconductor memory (SSD / hybrid):
  
  Currently no reliable method for increased protection requirements. It is recommended to completely encrypt the data medium before starting to use it. Before disposal, the data medium should be overwritten as described above.
• Optical data media (CD, DVD):
  
  Rewritable data media such as CD-RWs or DVD-RWs can be overwritten with random data for normal protection requirements.
• Volatile semiconductor memories (SRAM, DRAM):
  
  the power supply should be switched off to delete the data. If there is a buffer battery for the memory, it must be removed first.
  
  For very high protection requirements, the memory must be overwritten with random data once in advance.
• Non-volatile semiconductor memories (EPROM, EEPROM, Flash EPROM) USB stick, flash card, flash disk, PCMCIA cards:
  
  For high protection requirements, the entire memory area must be overwritten three times using suitable software.
• Chip cards:
  
  No reliable method available.
• All-in-one devices (copiers, etc.) with hard disks:
  
  Overwrite: For normal protection requirements, the information should be deleted from the cache after printout using a delete function. For high protection requirements, the hard disk must be overwritten once using suitable software after each printout.
  
  When disposing of a device or when taking a device out of service, S 2.400 Secure withdrawal from operation of printers, copiers, and all-in-one devices must be taken into account.

The use of the following methods as deletion methods is not recommended, because they are not reliable and it is possible to reconstruct data deleted using these methods:

• delete commands
• overwriting individual files
• high-level formatting
• low-level formatting

Recommendations for the destruction of data media:

A protection class is assigned to the protection requirement in standard DIN 66399:2012 "Destruction of data media", part 1. The protection class can then be used to derive the security levels to be applied to the different data media. For normal protection requirements, protection class 2 is appropriate. Suitable destruction methods and particle sizes for the respective protection classes can be found in DIN 66399 part 2.

The BSI Technical Guideline BSI-TL 03420 describes destruction methods for the different media, e.g. for paper documents, microfilms, magnetic and optical data media, semiconductor memories, and chip cards.

Reliable service providers can also be contracted for data media destruction (see S 2.436 Destruction of data media by external service providers).

• Paper documents:
  
  Paper documents should be shredded using file shredders. Security Level P-3 file shredders according to DIN 66399 should be used for normal protection requirements, while Security Level P-4, P-5, or P-6 file shredders should be used for higher protection requirements (see also S 2.435 Selecting suitable shredders).
• Microfilm, microfiche:
  
  Level F-4 according to DIN 66399 is recommended for mechanical shredding, but suitable devices are only available here and there. For this reason, these data media should be burned. For this, the temperature must be higher than 300°C, and the exposure time must be at least 60 minutes.
• Hard disks:
  
  Hard disks can be shredded mechanically using a shredder. In this, the size of the generated particles must not exceed 300 square millimetres, DIN 66399, level H-5, for high protection requirements. For normal protection requirements, particle sizes according to DIN 66399, level H-4, of up to 2000 square millimetres are absolutely acceptable. Smaller particle sizes may be necessary for mechanically small drives. They can also be destroyed thermally, in which case the hard drive must be heated to a temperature of more than 1,000°C for at least 15 minutes.
• Magnetic tapes, magnetic tape cassettes:
  
  Magnetic tapes should be shredded using devices meeting the requirements of DIN 66399, level T-3. For higher protection requirements, the particle size should not exceed 30 square millimetres (level T-5).
• Diskettes, optical data media (CD, DVD):
  
  These data media can be shredded mechanically using a shredder. For optical data media, the size of the particles must not exceed 160 square millimetres according to DIN 66399, level O-3, and for higher protection requirements it must be below 30 square millimetres, level O-4. They can also be destroyed thermally, in which case they must be heated to a temperature of more than 300°C for at least 60 minutes or burned at higher temperatures.
• Semiconductor memories (SRAM, DRAM, EPROM, EEPROM), USB sticks, flash memories, PCMCIA cards:
  
  These data media can be shredded mechanically using a suitable device. The devices should meet security level E-4 according to DIN 66399. They can also be burned. In this case, they must be heated to a temperature of more than 800°C for at least 15 minutes.
• Chip cards:
  
  Chip cards can be burned or shredded mechanically using a shredding device. For normal protection requirements, security level E-4 shredders according to DIN 66399 should be used.

Which methods are suitable for deleting or destroying the data and data media used in the organisation depends on how the data is stored, the data media used, and the protection requirements of the information. Any further uses planned for the data media also need to be taken into account. For this reason, a requirements analysis should be performed before selection in order to find suitable methods.

The following questions, amongst other things, must be answered during the requirements analysis:

• Which types of data (on which operating systems and in which applications), which types of data media (e.g. optical or magnetic), and which amounts of data (e.g. megabytes, gigabytes, terabytes) need to be deleted securely?
• What are the protection requirements of the data stored on the data media?
• What is the size of the data medium itself? Does the destruction result meet the protection requirements?
• Is and/or were the data media used in a protected area?
• Are there already tools available for the deletion and destruction of information? Are they suitable for the protection requirements identified and the types of data media used?
• Which types of deletion and destruction methods exist for the protection requirements identified and the types of data media used? How much time and expense is required for training to ensure the methods are applied reliably?
• How many data media of a given type must be deleted or destroyed according to the expectations?

The deletion of data or the destruction of data media should be performed promptly and at or near the workplace so that the data media do not need to be stored temporarily. This also generally reduces the number of people handling the data media and therefore increases security.

Depending on the protection requirements of the information and the data media used, other tools or devices must be used in order to reliably delete or destroy the data. Some tools and devices are expensive or are not easy to operate correctly. For this reason, it may make sense to sign service contracts with external service providers to this end. In this case, the data media to be disposed of must be collected in the organisation. Burglar-proof collection containers should be placed at suitable locations and emptied regularly to this end.

Destruction devices are subject to wear due to normal use. Improper use or destruction of data media the device was not intended for may damage the device. Therefore, it is necessary to regularly check the particle size, for example by means of a simple visual inspection regarding the data from the device manual.

It must be documented comprehensibly which methods were selected for deleting and destroying the various types of data and the corresponding protection requirements and how to apply these methods.

The employees must receive instructions on how to apply the methods selected for deleting and destroying information, especially if the employees themselves will be using the corresponding tools.

Review questions:

• Were suitable methods selected for the deletion or destruction of the various types of data and the corresponding protection requirements?
• Were the employees instructed how to apply the methods used to delete and destroy information, and in particular how to use the tools and devices available for this purpose?
• Are there devices and tools available for the various types of data media used that are suitable for reliably deleting the information stored on the media?
• Is the destruction result checked regularly?
• Does the destruction method selected for a data medium meet the state of the art (e.g. size of the data medium)?