S 2.434 Purchasing suitable devices for deleting or destroying data

Initiation responsibility: IT Security Officer, Head of Organisation, Head of IT

Implementation responsibility: Head of IT, Purchasing Department, IT Security Officer

In most organisations, different tools will typically be used for the deletion or destruction of the data stored on the various types of data media. Some tools may be available at each employee's workplace, while other tools will be available at a central location, for example in IT Support. The requirements and general conditions should be determined first before purchasing a tool so that a suitable tool can be found for each of the corresponding data media types. When selecting devices for the deletion or destruction of data, the requirements specified in safeguard S 2.167 Selecting suitable methods for deleting or destroying data must be taken into account.

The requirements for each of the tools to be used for the deletion or destruction of data should be documented so that it is possible based on the documentation to check regularly if the selected tool still meets the requirements.

The requirements for file shredders are described in S 2.435 Selecting suitable shredders. The requirements for tools used to erase or destroy electronic data media are highly dependent on the design and purpose of the data media. Emphasis should be placed on ensuring that the security requirements of the organisation are fulfilled. The following issues must be clarified, among others:

• Is it possible to delete the data reliably according to its protection requirements?
• Has an independent organisation like the BSI certified the product according to recognised security criteria such as the Common Criteria (CC) or approved it for use with classified material?
• Is the product easy to install, configure and use?
• Can the product be configured so that the specified security objectives can be achieved?
• Can important configuration parameters be protected so that they cannot be changed by unauthorised users?
• Does the documentation supplied with the product contain exact descriptions of all technical and administrative details?
• Is the level of performance of the product appropriate for the size of the user group?
• Can the employees use the tools effectively, securely and correctly without requiring extensive training?
• How high is the initial purchase cost of each product? How high are the expected running costs (i.e. for maintenance, operation, and support)?

When data is deleted unintentionally, it is possible for entire business processes to be disrupted. For this reason, it should be clarified if the interfaces and access points required to the use these tools can be secured adequately.

The example below of a requirements profile for the secure erasure of hard disks illustrates how to specify these requirements in more detail.

Example:

There are a number of tools available on the market for erasing hard disks. The most important features to be used as selection criteria include the following:

• number of overwriting processes
• overwrite patterns
• ability to change the overwrite pattern after each run
• ability to erase the internal hard disk code
• verification runs

When selecting erasure tools for hard disks, it should be ensured that the selected solution fulfils the following requirements:

• Support for the operating systems and applications used: The tools should be able to work with the existing hardware and the operating systems used without any problems.
• Logging: It should be possible to log all delete operations. To meet general legal or contractual conditions, it may be necessary to prove that the records were deleted at a certain time.
• Correctness of the implementation: Tests of erasure tools have shown again and again that such tools are often implemented incorrectly due to the following errors:
  • incorrect (meaning unsuitable) overwrite patterns were used
  • some sectors were not overwritten
  • the specified number of overwriting processes was not executed
  • constants were used for the overwrite pattern instead of random numbers

Since it is difficult for users to detect such implementation errors, products that have been tested by independent bodies should be purchased, if possible. Tests for which all of the test criteria have been published, for example tests based on the CC or ISO/DIN standards, should be preferred. If there are no recent tests available, then technical IT magazines that regularly conduct tests of erasure tools should be consulted as an alternative before making a purchase.

Review questions:

• Have the requirements for the deletion and destruction tools been documented?
• Were the tools selected checked to ensure that they fulfil the requirements?