Secure Sanitisation
Level (SSL) Impact Levels (IL0-6)
The main factors for any organisation to consider is the
type of information held, the type of storage device the data is held on,
the confidentiality (security level) of the data.
First and foremost is to identify the potential
risk of data confidentiality, what would happen if it fell into the
wrong hands, could it cause short term embarrassment - or have a
permanent damaging effect on the organisation, could it cause
financial loss, or impact on individuals within the organisation.
Secondly decide on the process required - should the sanitisation
process be applied in-house or externally sourced, will any of the
media be considered for re-use, or physical destruction - also
consider environmental issues, time scales and above all costs.
Clear: -
the process of overwriting, with a series 0's then repeating the
process using a series of 1's and finally randomly writing a
series of 0's and 1's. This process is suitable for:
-
Hard Drives
-
Network Hard Drives
-
Printer Hard Drives
-
Flash Hard Drive
-
Zip, Jaz, Floppy, LS120 &
-
USB and other Flash Media
Purge: -
the process of degaussing - degaussing involves passing magnetic
media under a strong magnetic field, disrupting data patterns,
degaussing also destroys the firmware of Hard Drives so should
not be considered if re-use is an option. This process is
suitable for:
-
Hard Drives
-
Data Tapes - DAT, DLT, CCTV,
Audio, Video, cassettes
Destroy:
- the process of destruction, physical destruction involves
disintegration, incineration or shredding. this is the ultimate
media sanitisation method. the media is totally destroyed to
particle sizes, 15mm to 6mm. This process is suitable for
all the above media forms, Plus:
-
Optical media - CD's, DVD's, Blu-ray, HD
DVD, mini discs
-
DVD-RAM Discs
-
Documents - Paper based
-
Documents - Microfiche
-
Plus many more
The standards below define a Secure
Sanitisation Level at three different levels, SSL1, SSL2 and SSL3. Each SSL is
related to the (IL) Impact Level of compromise of confidentiality and is
defined below.
Impact Levels:
- Impact Levels relate directly to standard protective
markings:
|
Impact Levels 0-2 |
|
PROTECT |
|
Impact Level 3
|
|
RESTRICTED |
|
Impact Level 4
|
|
CONFIDENTIAL |
|
Impact Level 5 |
|
SECRET |
|
Impact Level 6 |
|
TOP SECRET
|
there is no equivalent
set of markings for Integrity or Availability.
Each SSL has three
Options:
-
Clear
-
Purge
-
Destroy
This
will enable organisations to make their own decisions, by taking into
account security, cost and environmental concerns, as to whether the
items are to be re-used or physical destruction is the only option
available to them.
Once the
media that is to be re-used has been through the Sanitisation process,
inline with the standards above - using the appropriate SSL, then
the media may be handled as shown in the table below.
|
SSL |
CLEAR |
PURGE |
|
1 |
IL0 - 2 No Change |
IL0 - 2 may be handled as IL0 |
|
2 |
IL3 - 4 No Change |
IL3 - 4 may be handled as IL0 |
|
3 |
IL5 may be handled as IL4
IL6 may be handled as IL5
|
IL5 may be handled as IL2
or IL3
IL6 may be handled as IL3
or IL4
(Dependent on risk
assessment)
|
-
SSL1
- this level is used for the Sanitisation of all storage media types
that are storing data from IL0 - IL2
-
SSL2
- this level is used for the
Sanitisation of all storage media types that are storing data from IL3 -
IL4
-
SSL3
- this level is used for the
Sanitisation of all storage media types that are storing data from IL5 -
IL6
|
SSL |
CLEAR |
|
Hard/Data
Drives |
USB Memory Sticks,
Flash Media |
CD's - DVD's
|
|
1 |
Overwrite
with unassured products |
CESG
Manual S (Table 8A) |
Use CD
erase software |
|
2 |
Overwrite with CC EAL 1 or CCT Mark
Products |
CESG Manual S (Table 8A) |
N/A |
|
3 |
Overwrite
with CESG Lower or CC EAL 2 Products |
CESG
Manual S (Table 8A) |
N/A |
|
SSL |
PURGE |
|
Hard/Data
Drives |
USB Memory Sticks,
Flash Media |
CD's - DVD's
|
|
1 |
Overwrite
with CC EAL 2 Products |
CESG
Manual S (Table 8A) |
N/A |
|
2 |
Overwrite with ATA Secure Erase or CESG
Higher Products |
CESG Manual S (Table 8A) |
N/A |
|
3 |
Overwrite
with CESG Higher Products |
CESG
Manual S (Table 8A) |
N/A |
|
SSL |
DESTROY |
|
Hard/Data
Drives |
USB Memory Sticks,
Flash Media |
CD's - DVD's
|
|
1 |
CBP |
|
2 |
Degauss at CESG Lower then/or CBP |
CESG Guidance or CBP |
|
3 |
Degauss at CESG Higher Products
then destroy to CESG
|
CESG Guidance
|
if you
require more information or clarification on any of the
BUSINESS IMPACT LEVEL
TABLES above then click
here to view the HMG Infosec
Standards as defined by
www.cesg.gov.uk
|
