NIST SP 800-88: Guidelines for Media Sanitization

00:00

Welcome back to cyber. Is this? Of course I'm your instructor, Brad Roads. So let's go ahead and jump into this special pub 888. And this is our guidelines from media sanitization.

00:13

So we did talk about sanitization when we discussed that Decommissioning in our previous modules. Is was this a domain five

00:21

eso we're going to cover in this video, specifically the types of media we have to do with We're gonna talk about types of sanitation, and then we're gonna look at the decision flow that comes directly out of 888.

00:34

So there's two kinds of media. We have to do it. There's hard copy and soft copies, so that should be obvious. Right? Hard copy is paper, right? Many organizations today, even though even though we have all this great digital capability, still produces hard copies, right? And so those hard copies either have to be

00:52

completely obliterated, destroyed, right, scanned into an electronic copy and then destroyed. But

00:58

you gotta understand that hard copy is still a thing. The next one is Elektronik or soft copy. And that's any kind of media that is digital. So that could be ah hard drive. It could be a CD or DVD. It could be a USB key. It could be a micro SD card. I could keep going on and on. It could be an actual device itself that's holding data

01:17

like thinking I ot device, maybe a raspberry pi. Or

01:19

maybe it is something even smart like in Omega Onion to something that has got embedded Elektronik capabilities that you might actually have to destroy the entire thing, not just the media itself, because it's not extractable.

01:34

So there's three kinds of sanitization types I need you to remember clear, which means I basically wiped the data from the media.

01:42

Okay, obviously hard copy. You're not erasing stuff you printed, so that doesn't really apply. Purge. That's where we actually go through and script and and and go through and say with We're talking about electronic media. We go through and we right

01:56

over all of the the data or the previous date. It was a bunch of zeros, right? Basically a reset or you even de magnetize ing a drive could help with that. Right? So that's we're talking about here when you think about hard copy stuff, a purge could be pulping that with the appropriate type shredder, depending on

02:13

the classifications or the risk associated with that particular hard copy data.

02:17

And then, of course, destroy destroys where we actually obliterates a physical media could be, You know, we destroy a hard drive, and we, you know, we scratch up, and that doesn't necessarily work all the time. But let's say we're gonna pulverize Ah, particular hard drive to destroy it, right, and then just recycle the rest of it, right? Potentially with paper destruction is burning it,

02:37

um it is pumping it to the point where it cannot be reconstructed. Right, So

02:40

those are three sanitization types.

02:45

So here's the decision flow from

02:47

this 888 and there's three levels you need to know. One is security categorization low, right? And so, if it is not gonna leave organizational control, you could just clear

03:00

if it is gonna leave organizational control. You gotta purge it. Then. Of course, you see a lot of things they're validating document.

03:06

Okay, when we're talking about modern security categorization, right, we're gonna make some decisions here. We're going to determine whether we can or cannot reuse the media. So in the case of, say, hard drives. And I've seen this before. We have reused hard drives, right? And so it did not leave organizational control. So we purged it, validated and put it back into operations.

03:24

We had old hard drives

03:27

that if we had to get rid of them, right, because we could not reuse them anymore. Pretty straightforward. We had to destroy them, right? And once they were destroyed, we validated that undocumented it. And then you have security categorization high. And so this could be, you know, in the terms of, like, government stuff, this could be, you know, media from, say, classified systems. Or,

03:46

in the case of the commercial space, this could be, say, intellectual property. Right. Well, you're gonna make a decision. Can you reuse the media or not? Well, if you can't, you're gonna destroy it.

03:55

If you can, you have to determine if it's gonna leave the control. The organization. If it isn't,

04:00

then you could purge it and potentially reuse it. If it is going to leave control the organization. Obviously you would you would then destroy it. Right? So this decision flow is important, right? You will likely see um, you know this again in the sf content.

04:17

So in this lesson we talked about missed 888 we reviewed the media types. We talked about the types of sanitization, and there's three of them, which is clear, purge and destroy. And then we looked at the decision flow, which is tied back to those sanitization types, and I highly encourage you toe have a pretty good understanding of that decision flow.