S 2.434 Purchasing suitable devices for deleting or destroying data

Initiation responsibility: IT Security Officer, Head of Organisation, Head of IT

Implementation responsibility: Head of IT, Purchasing Department, IT Security Officer

In most organisations, different tools will typically be used for the deletion or destruction of the data stored on the various types of data media. Some tools may be available at each employee's workplace, while other tools will be available at a central location, for example in IT Support. The requirements and general conditions should be determined first before purchasing a tool so that a suitable tool can be found for each of the corresponding data media types. When selecting devices for the deletion or destruction of data, the requirements specified in safeguard S 2.167 Selecting suitable methods for deleting or destroying data must be taken into account.

The requirements for each of the tools to be used for the deletion or destruction of data should be documented so that it is possible based on the documentation to check regularly if the selected tool still meets the requirements.

The requirements for file shredders are described in S 2.435 Selecting suitable shredders. The requirements for tools used to erase or destroy electronic data media are highly dependent on the design and purpose of the data media. Emphasis should be placed on ensuring that the security requirements of the organisation are fulfilled. The following issues must be clarified, among others:

When data is deleted unintentionally, it is possible for entire business processes to be disrupted. For this reason, it should be clarified if the interfaces and access points required to the use these tools can be secured adequately.

The example below of a requirements profile for the secure erasure of hard disks illustrates how to specify these requirements in more detail.

Example:

There are a number of tools available on the market for erasing hard disks. The most important features to be used as selection criteria include the following:

When selecting erasure tools for hard disks, it should be ensured that the selected solution fulfils the following requirements:

Since it is difficult for users to detect such implementation errors, products that have been tested by independent bodies should be purchased, if possible. Tests for which all of the test criteria have been published, for example tests based on the CC or ISO/DIN standards, should be preferred. If there are no recent tests available, then technical IT magazines that regularly conduct tests of erasure tools should be consulted as an alternative before making a purchase.

Review questions: