ewaste security compliant data destruction
Contact Us

NIST 800-88 Hard Drive Destruction

How to incorporate NIST guidelines into your computer recycling program.Get Quote

NIST 800-88 Guidelines and Requirements

NIST 800-88 Guidelines for Media Sanitization is the technical standard for digital media data destruction.  These guidelines lay out the methods, verification procedures, and reporting requirements for proper data destruction in compliance with data privacy laws.  

Data privacy laws related to the healthcare, banking, consumer information, and credit industries all point to NIST 800-88 as best practices for data destruction.  HIPAA and the Red Flags Rule specifically name NIST 800-88 as the standard procedure for secure information destruction. The 3 rules for compliance.

Guidelines for media sanitization.

The 3 Keys to Compliance

#1. Destruction Method

To erase, degauss, or destroy is based on designated security level, risk of data breach and possibility of data recovery.

#2. Verification of Sanitization

Confirm and validate that the data destruction method was effective and data cannot be retrieved.

#3. Certificate of Destruction

Document the procedures taken, your decision for chosen method and evidence of destruction COD.

According to NIST 800-88 Guidelines for Media Sanitization, shredding hard drives is the most secure and compliant form of data destruction.

NIST 800-88 Certificate of Destruction

The Certificate of Destruction is one of most important documents for your records. Information should include the date, method, personnel, witnesses and third party vendor.

The E-Waste Security COD, shown below,  is the final step in larger Chain of Custody process.   A sample NIST Certificate of Destruction is available.

E-Waste Security NIST 800 reporting and Certificate of Destruction

A NIST 800-88 Certificate of Destruction requires linking the hard drive or SSD to the parent computer or server.  Details include make, model, serial number, and type.  Below is a sample Certificate of Destruction of ours.

E-Waste Security offers a NIST 800-88 Certificate of Destruction to help you comply with NIST 800-88 documentation requirements.

NIST 800-88 data destruction decision flow chart.

NIST 800-88 Data Destruction Decision

Compliance with NIST 800-88 data destruction requires organizations to make only two decisions.  The first, and most important, decision is determining how critical the information is to the company, its employees, and its customers.  The second is who will have access to the digital media after disposal.

Once those questions are answered, the NIST 800-88 decision tree states the method of digital media destruction.

Define Security Level

If the information became public, would it be detrimental or catastrophic to the company, employees, or customers?

In a practical sense, any loss of information would expose the company to fines, litigation costs, and reputational damage.

Control: Chain of Custody

Will the digital media leave your custody or control?  Once a hard drive or SSD is given to a third party it is considered “out of your control”.  It is irrelevant if the drive has been erased, wiped, or encrypted.

You and your organization are completely reliant on the vendor to protect the information.

Destruction Method

The NIST 800-88 data destruction decision tree is very clear; shred computer hard drives and SSDs before they leave your control.  

According to NIST 800-88, shredding hard drives is the most secure and compliant form of data destruction

NIST Sanitization Decision Flow Chart
hard Drive destruction projects for the City of Los Angeles
Hard drive destruction projects NASA in Pasadena
Hard drive destruction project for the Office of the Inspector General Health and Human Services
The city of irvine logo.
GE Healthcare

NIST 800-88: Hard Drive & SSD Destruction

Request Information