The Standard gives policy on managing the security risks that arise when computer storage media holding protectively marked or sensitive information is released for re-use or disposal within a secure environment, or is released into a less secure environment, whether for repair, exchange or recycling. When information is deleted from ICT equipment, it is not necessarily erased - the space is just freed up by the operating system and can be retrieved by specialist software or hardware. Additionally when data is overwritten the previous state may be recoverable.

This availability of previous information is called data remanence and the data may still be recovered by knowledgeable individuals. During the life cycle of ICT equipment it may be necessary to reuse component parts. At the end of the life cycle it will be necessary to dispose of the equipment in a manner that does not allow an adversary the opportunity to recover data. Finally, there are circumstances where access to equipment needs to be quickly denied to an adversary. The standard explains the technical effects of data storage and the steps that must be taken to securely sanitise storage devices. This may be done by procedures that achieve a clear, purge or destruction of the device. and is dependent upon the business impact level. Clearing and purging is generally performed where hardware is to be reused. Destroying is when the hardware is not to be re-used, or when access needs to be denied in an emergency. Different storage devices need to be treated in different ways and this standard sets out what needs to done in various circumstances for the different storage devices.

If you have a requirement that involves this Standard please contact us at standards@platinumsquared.co.uk

For more information from CESG, please visit www.cesg.gov.uk

Extracts taken from HMG Documentation. © Parts of this document are copyright, reserved and vested in the Crown.