We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byMarquise Maybury
Modified about 1 year ago
Overview For more than 27 years Data Security Inc. has been manufacturing degaussers to support the Department of Defense (DoD) requirements for complete erasure of classified or sensitive magnetic storage devices. Data Security Inc.’s main focus is to develop and manufacture high performance degaussers and hard drive destruction devices that guarantee the complete erasure of data stored on existing and future magnetic data storage formats. Because of Data Security’s continuing focus on meeting National Security Agency (NSA) standards, we have developed a close working relationship with them. This relationship givse us insight into current and future media formats, as well as the various requirements for sanitizing them. Degaussers listed in the NSA Evaluated Products List-Degausser are ideal tools for organizations required to comply with DoD requirements, NISPOM, National Institute of Standards and Technology (NIST), Federal Information Security Management Act (FISMA) and privacy legislation, including the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). © 2010 Data Security, Inc.
Data at Risk Media at RiskAcquisition Methods Classified or Sensitive DoD Defense Contractors Proprietary Information Personal Identity Information SSN Banking Health care information Desktop Hard Drives Laptop/Notebook Hard Drives HDDs in storage array Server Drive External USB Drives Firewire Drives USB Devices Magnetic Tapes Flash Cards CD & DVD Dumpster Diving Acquire improperly sanitized electronic media Laboratory reconstruction Hot Swapped Media Media in Transport Theft © 2010 Data Security, Inc. Developing countries do not have enough funding to catch up to developed countries, so they steal information and technology. –FBI Identity theft costs $50 billion/year. – Federal Trade Commission
Electronic Afterlife: What you don’t want to know about improper computer disposal, but should Hundreds of thousands of tons of E-waste are shipped overseas to developing countries each year, even after promises that the waste will be safely and locally recycled. Many of the countries receiving our E-waste are listed by the U.S. Department of State as the top sources of cyber crime. -Peter Klein, “Digital Dumping Ground” Documentary (2009) PA: Health Insurer Loses Hard Drive Comprising 280,000 Medicaid Patients Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan announced that a hard drive containing the personal health information has been misplaced. Yet to be recovered, the drive contains patient addresses, DOBs, health information, and both full and partial Social Security numbers. -Jane M. Von Bergen, The Philadelphia Inquirer (October 2010) TX: Stolen Hard Drive Compromises 79,000 Airline Employees American Airlines reported a hard drive stolen from headquarters. The drive contains sensitive files for current and former employees dating back to 1960, including Social Security numbers, health insurance, and bank accounts. Some employee files also contained information on beneficiaries and dependents. -Angela Moscaritolo, SC Magazine (July 2010) NJ: Data Breach Costs Credit Card Payment Company $130 Million After agreeing to a $60 million settlement with Visa earlier in the year, Heartland Payment Systems has added another $41 million for MasterCard as the result of a 2008 data breach which resulted in thousands of fraudulent charges. - (June 2010) © 2010 Data Security, Inc. Data at Risk – In the News
Regulatory Environment © 2010 Data Security, Inc.
Regulatory Environment The NIST “Guidelines for Media Sanitization” refer to the NSA for products to sanitize magnetic media. NIST Special Publication , pg The HIPPA Security Rule (SR) requires the final disposition of information/the hardware electronic media on which it is stored; HIPPA refers to NIST/NSA. Department of Health & Human Services HIPP § Physical safeguards; Final Rule Under the HITECH Act (“The Act”), business associates are now directly “on the compliance hook;” ie. required to comply with the Security Rule (SR) or be fined for willful neglect ($250,000 per fine). HITECH Act Sec Application of Security Provisions and Penalties to Business Associates of Covered Entities; Annual Guidance on Security Provisions The Gramm-Leach-Bliley (GLB) Act requires financial institutions to ensure the security and confidentiality of personal information obtained from their customers by erasing, degaussing or destroying electronic media. GBL Act, 15 U.S.C et seq., and the Federal Trade Commissions’ Standards for Safeguarding Customer Information, 16 CFR Part 314 “Safeguards Rule” The Payment Card Industry (PCI) Data Security Standard directs to destroy media containing cardholder data when it is no longer needed as follows: Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed (for example, degaussing). PCI DSS Requirements and Security Assessment Procedures, V1.2.1 pg 46 © 2010 Data Security, Inc.
ISFO Process Manual Rev , page 152 © 2010 Data Security, Inc.
ISFO Process Manual Rev , page 151 © 2010 Data Security, Inc. Note: The terms “Type I-III” are being replaced by the actual media coercivity rating.
Degausser Dictionary de·gauss (d-gous) tr.v. de·gaussed, de·gauss·ing, de·gauss·es 1. To neutralize the magnetic field of (a ship, for example). 2. To erase information from (a magnetic disk or other storage device). Gauss: the CGS unit of magnetic flux density or magnetic induction. Oersted: the CGS unit of magnetic field strength. The magnetic field produced at the center of a solenoid or coil…magnetic field strength of one Oe is equivalent to magnetic flux density of one gauss. Coercivity: the amount of applied magnetic field required to reduce magnetic induction to zero… Coercivity is usually measured in Oersted… © 2010 Data Security, Inc.
Previous NSA Test Procedure © 2010 Data Security, Inc.
Current NSA Test Procedure Center for Magnetic Recording Research at the University of San Diego, California (CMRR) Guarantee that no data can be recovered by any means, including laboratory attack. Test degaussers Strength Uniformity Potential Useful life Stress Test (durability) Test media Coercivity of media Guaranteed erasure Uniformity of degausser field © 2010 Data Security, Inc.
Current NSA Test Procedure © 2010 Data Security, Inc.
Current NSA Test Procedure HD-5T 5000 Oersted Disk BeforeAfter
DoD Data Recovery Methods © 2010 Data Security, Inc. DiskTape Spin-Stand Testers Used for testing and experimenting with heads and disks Used mostly for R&D Tester writes specific data or servo pattern Very accurate for analyzing raw disks Reading a disk that has been written by a drive is more challenging Not cost-effective for routine data recovery Magnetic Force Microscopes (MFM) Best tool for analyzing magnetic data on disks Provides extraordinary imagery of the topology disk properties Probe is placed on the disk surface Time consuming Excellent tool for reading overwritten data Overwritten tracks leave portions of previously written data due to head shift Physical movement of drive Age of disk drive Deteriorating lubricants Current technology used by the NSA Ferrofluidic Imaging Liquid which becomes strongly polarized in the presence of a magnetic field Composed of nanoscale ferromagnetic particles suspended in a carrier fluid, usually an organic solvent or water Tape tracks are made visible by coating the tape with a ferrofluid that is magnetically developing
Commercial Data Recovery Methods © 2010 Data Security, Inc. DiskTape Assess Disk Drive Operational Mirror data Create raw image to new media Component Failure Replace defective components Mirror data Create raw image to new media Logical/Software Failure Examining raw image at the low-level data sectors Apply fixes to file system structure Access data Restore data Assess Tape Media Operational Test accessibility with lab equipment Component Failure Clean, splice and re-spool into new cartridge Create raw image from readable portions Examine low-level data sectors Determine tape fixes to format structures Access data Restore data
NSA/CSS Evaluated Products List-Degausser Introduction The EPL-Degausser (Evaluated Products List – Degausser) specifies the model identification of current equipment units that were evaluated against and found to satisfy the requirements for erasure of magnetic storage devices that retain sensitive or classified data. Degaussers listed in this document are rated by the coercivity of the magnetic storage devices they can securely erase (tape and disk storage devices). Tape storage devices are defined as any product that contains magnetic tape as the recording medium. Disk storage devices are defined as any product that contains a flexible or rigid disk as the recording medium. Proper use of this equipment is necessary to ensure inadvertent disclosure of any level of classified or sensitive information. Any questions about equipment operations should be directed to the manufacturer. © 2010 Data Security, Inc.
Media Specifications © 2010 Data Security, Inc. Hard Drive Coercivity Chart
Disk Recording © 2010 Data Security, Inc. Longitudinal Recording Each bit of information is represented by a collection of magnetized particles. North and south poles oriented in one direction or the other parallel to the disk's surface in a ring around its center. Perpendicular Recording Poles are arranged perpendicular to the disk's surface. More bits can be packed onto a disk.
NSA/CSS Evaluated Products List-Degausser © 2010 Data Security, Inc. 9. Standalone Degaussers: These are standalone electromagnetic degaussers that provide automatic one pass operation for disk and tape storage device erasure. On hard disk drives, all extraneous steel shielding materials (e.g., cabinets, casings, and mounting brackets), but not the hard disk assembly, must be removed before degaussing. The degaussers must be operated at their full magnetic field strength. The erasure of hard disk drives causes damage that prohibits their continued use.
NSA/CSS Evaluated Products List-Degausser © 2010 Data Security, Inc.
HD-5T Degausser and DB-4000 Disk Drive Bender © 2010 Data Security, Inc. DUO Key Features : Listed on the National Security Agency (NSA) Evaluated Products List-Degausser (EPL-Degausser) NSA/CSS-EPL-9-12A. Meets all NSA, DoD, state, federal, financial and health care regulations, mandates and security guidelines. Simple, automatic operation; designed for reliability, performance, and operator safety. Fast; a combined cycle time of seconds per cycle with a throughput of drives per hour. Unique, internal Field CheckR provides magnetic field verification of the HD-5T degausser and satisfies requirements for degausser testing. With the largest chamber in an automatic destruction device, the DB-4000 accommodates oversized media as well as multiple pieces per cycle. Compact, lightweight and mobile; the optional cart provides the convenience of combining the degausser and destruction device in one place while providing effortless mobility. Built to last; requires no preventative maintenance or expensive repairs.
HPM-2 Degausser and DB-6000 Disk Drive Bender © 2010 Data Security, Inc. DUO Key Features : Listed on the National Security Agency (NSA) Evaluated Products List-Degausser (EPL-Degausser) NSA/CSS-EPL-9-12A. Meets all NSA, DoD, state, federal, financial and health care regulations, mandates and security guidelines. Fast; a combined cycle time of seconds per cycle with a throughput of hard drives per hour. Environmentally friendly solution; manual operation requires no electricity. DB-6000 destruction device allows choice of power sources: a manual handle or the added speed and efficiency of a cordless drill (drill not included). Compact, lightweight and mobile; the optional cart provides the convenience of combining the degausser and destruction device in one place while providing effortless mobility. Built to last; requires no preventative maintenance or expensive repairs.
Degausser testing Evaluated Products List-Degausser ISFO Process Manual Rev , page © 2010 Data Security, Inc. Degaussers should be tested periodically using the timetable established by DSS and NSA. The degausser must be tested within six months after the initial “new” purchase or immediately if purchased used. Even products on the EPL must be re-tested twice a year for the first two years, then once a year thereafter. If the results are marginal, the degausser must be re-tested within six months. The EPL (Evaluated Products List) – Degausser specifies the current models of commercial equipment that satisfy NSA/CSS requirements for erasure of magnetic storage devices retaining any level of classified or sensitive data. Listing on the EPL-Degausser does not constitute endorsement of the product by the USG or NSA/CSS; it only states that the evaluated degausser has met the applicable NSA/CSS performance requirements. Neither does the listing guarantee continued performance; customers should have their equipment re-tested periodically according the manufacturer’s recommendations.
Field CheckR Key Features: Listed in the National Security Agency Evaluated Products List-Degausser. Instantly verifies the magnetic field of any degausser. Designed to allow user the ability to test more often than annually or biannually. © 2010 Data Security, Inc.
Commercial Degaussers Not listed in the NSA EPL-Degausser Magnetic field is not strong General rule – Gauss (Oersted) applied to media must be 2x Coercivity. Advertised Gauss is measured at the core. Magnetic fields dissipate very rapidly from the magnetic core. Disks located in center of HDD and top of HDD are subjected to fields much weaker than the Coercivity of the media. © 2010 Data Security, Inc.
Storage Excess media storage is a security risk. Additional inventory of excess media requires additional administrative procedures, storage space and labor necessary to control. Without adequate storage or sanitization procedures, classified magnetic media is often stored in obscure locations (behind bookshelves, false bottoms in desk drawers), increasing the risks associated with storing classified information. Media with large storage capacity and small physical size can be easily removed by employees (e.g., LTO III 400 GB, SDLTII 300 GB, VXA 160 GB). © 2010 Data Security, Inc.
Overwrite Challenges © 2010 Data Security, Inc.
Destruction: Paper, Optical, Key Tape, HDD after Degaussing, National Security Agency (NSA) provides Media Destruction Guidance. The NSA has determined that High Security Disintegrators listed on the Evaluated Products List provide adequate security for the destruction of paper, optical media (CDs and DVDs), and punched tape as annotated on the EPL. For destroying paper only, a list of evaluated High Security Crosscut Paper Shredders is available. For sanitizing magnetic media, a list of evaluated degaussers is available. NSA Guidance: “it is highly recommended that the hard disk drive be physically damaged prior to release.” (NSA/CSS Storage Device Declassification Manual) NSA Evaluated Products List- HDD Destruction Devices, post degaussing, pending publication. Department of Navy Processing of Magnetic Hard Drive Storage Media for Disposal says all DoN-owned magnetic hard drive storage media will remain in DoN custody until degaussed, destroyed. Destruction can be as simply bending the hard drive. (DON CIO Privacy Term August 5, 2010) © 2010 Data Security, Inc.
Destruction After Degaussing © 2010 Data Security, Inc. least secure Punched Folded Shredded NSA preferred physical destruction method time consuming, expensive, and equipment requires frequent repairs
Destruction: Solid State Media © 2010 Data Security, Inc. NSA Guidance: Destruction to 2 mm particle size
SSMD-2mm © 2010 Data Security, Inc. Key Features: Meets National Security Agency (NSA) and Department of Defense (DoD) specification for the destruction of solid state media and optical media to 2 mm. Unique dual stage disintegration process destroys solid state storage media (memory cards, memory boards, thumb drives, cell phones, tablets, solid state drives) and optical media (CDs, DVDs, Blu-Ray disks). Simple, automatic push button operation, designed for reliability, performance, and operator safety. Senses and automatically adjusts to clear and prevent jams. Parts are designed for reuse, and easily rotate for a additional use, resharpening or quick replacement. Compact and clean, ideal for any setting, including offices.
Data Security, Inc. Contact us: Q Street Lincoln NE datasecurityinc.com © 2010 Data Security, Inc.
UNIVERSITY OF ALABAMA V HIPAA Privacy and Security Training For Employees Compliance is Everyones Job 1 INTERNAL USE ONLY For UA Health Care Components,
National Safety Compliance, Inc. …because safety is never an accident… Presentation works best if displayed on a computer with an active internet connection.
Identity Theft A Core Risk of HIPAA Security Lapses Gail Sausser.
John Clark COO, PCI Security and Compliance CCIA Fall Meeting – 7 th October 2011.
UNIT I FUNDAMENTAL OF E-COMMERCE 1.1INTRODUCTION TO E-COMMERCE 1.2 DRIVING FORCES OF E-COMMERCE 1.3 BENEFITS AND LIMITATIONS OF E-COMMERCE 1.4 DATA MINING.
1 Information Security Awareness Training: Good Computing Practices for Confidential Electronic Information Information Security Training for all Workforce.
Information Systems Using Information (Higher and Intermediate 2)
Logical IT Security By Prashant Mali.
PLANNING THE AUDIT Individual audits must be properly planned to ensure: Appropriate and sufficient evidence is obtained to support the auditors opinion;
What is an Operating System? A program that acts as an intermediary between a user of a computer and the computer hardware. Operating system goals: Execute.
SECURITY AWARENESS. The Importance of Security Awareness Training Security Awareness Training provides the knowledge to protect information systems and.
Data Decommissioning: Overwriting, Shredding, Degaussing, and Beyond Monday, June 02, 2014 ISSA New Jersey Chapter Parsippany, NY.
WHAT ARE BALANCES? A BALANCE is a measuring device/instrument used to measure the mass of an object. A Scale, on the other hand, is device/instrument.
Compiled by : S. Agarwal, Lecturer & Systems Incharge St. Xaviers Computer Centre, St. Xaviers College Kolkata. March-2003.
ISO INTRODUCTION In the present day, environmental matter is not limited only in one country or specific area. The environmental impact effects.
1 Data Handling at Purdue. Section I The Importance of Data Security (slides 4 – 5) Laws and Policies (Slides 7 – 18) - Federal - State - Purdue Section.
Local Agency Certification Training The Nuts and Bolts of Insurance March 12, 2010 Ronda Hollis, CPCU ODOT Intergovernmental Agreements and Procurement.
PRESS “F5” ON YOUR KEY BOARD TO PROPERLY START THIS TRAINING MODULE. Then, click the arrow at the bottom right of this slide to begin the training module.
Smart Cards By Sravanthi Karumanchi. Introduction The semiconductor revolution has advanced to the point where the computing power that once took up an.
An ISO 9001:2000 Certified Organization CS-611 COMPUTER FUNDAMENTAL & PC SOFTWARE BCA-1 IGNOU.
Mississippi DOM Fraud, Waste, and Abuse (FWA) and HIPAA Training UPDATED 4/1/2014.
1 Gramm-Leach-Bliley Act (GLBA) Implementation of the Safeguards Rule Information Security Program University of Minnesota (Adapted from the Federal Trade.
Portsmouth/Paducah Project Office 2012 Annual Security Refresher Lexington Office 1 Paducah SitePortsmouth Site.
Managing the Unimaginable: A Practical Approach to Petabyte Data Storage Randy Cochran, Infrastructure Architect, IBM Corporation,
PCI-DSS Compliance and Payment Card Acceptance Cathy Freeman Cash and Treasury Services Phone:
By: Liz. Computer data storage, often called storage or memory, is a technology consisting of computer components and recording media used to preserve.
Copyright, 2001, ePrivacy Group HIPAA Summit IV Preconference III Basic Privacy and HIPAA.
COOP and Contingency Plans. Introduction to Emergency Preparedness Various processes are involved in ensuring business continuity. Listed below are some.
© 2016 SlidePlayer.com Inc. All rights reserved.