NIST 800-88 Hard Drive Destruction

NIST 800-88 Department of Commerce

The National Institute of Standards and Technology (NIST) has developed Guidelines for Media Sanitization – NIST 800-88.  The NIST 800-88 publication is intended to assist organizations and IT system managers in making practical sanitization decisions based on the relative categorization and confidentiality of their information or data.  This page specifically deals with NIST 800-88 destruction decisions, techniques and documentation requirements associated with decommissioning IT equipment and disposing of digital media such as computer hard drives.

NIST 800-88 Data Destruction Decision

A recent survey on hard drive disposal best practice conducted by The ITAM Review shows that Information Security is overwhelmingly the strongest consideration when disposing of hard drives. Interestingly, 61% of the respondents did not follow a specific data destruction standard while 29% had no way of proving proper disposal or data destruction.

These statistics are bound to change in the future after companies get audited and fined $1,000 for each affected consumer by the FTC.  A lawsuit under the FCRA does not require proof of identity theft or any out-of-pocket losses.  The following flowchart summarizes the NIST 800-88 Sanitization and Disposition Decision Flow.

NIST Sanitization Decision Flow Chart

It is important to understand that the most severe rating from any category becomes the information system’s overall security categorization. Since we store customer and employee information we feel more confident shredding hard drives.


Data Destruction Techniques

NIST 800-88 Required Documentation

NIST 800-88 describes three methods for sanitizing hard disk drives, 1) erasing, 2) degaussing and 3) shredding.  NIST 800-88 considers physically shredding hard drives the most secure form of data destruction and should be used for all levels of confidential information.

The decision to erase or physically destroy hard drives should be based on your organization’s policies and procedures governing data security and destruction. Many business and organizations are now required to have a written Identity Theft Prevention Program per the Federal Trade Commission’s Red Flags Rule.

Conforming to NIST 800-88 guidelines requires proper documentation of data destruction or more commonly known as a Certificate of Destruction.  NIST 800-88 documentation requirements.