Government data protection standards are protected data

Data 'Sanitisation' Standard.

In five easy steps

1) Don appropriate PPE.

2) Remove hard drive(s) from PC/laptop being disposed of.

3) Remove casing of said drives.

4) Reduce drive platters to 5mm fragments using 1kg hammer.

5) Install new, clean replacement drive into equipment for disposal by sale, if required.

What about "shred"???

Jus' pop an Ubuntu live CD in there, and tell it to shred the entire drive. /dev/hda? Aint that to the quoted standard?

Child of 10 could do it. Buttock 'course, that'd be child labour....

(So could Paris - I needed to use that logo at least once in my life!)

How difficult is this....?

Look...this is easy. If you have an old computer, before it goes to eBay/the council tip or wherever, you take a couple of screws out and remove the hard drive. You then take a large and solid screwdriver (or similar) and a lump hammer, and use the hammer to smash the screwdriver straight through the drive. Then put remains of drive into recycling - NO-ONE is going to read that now! SSD drive? Try the shredder!

Face it, with the price of new drives so low, there is no need to hand over a working second-hand drive to anyone. For the cost of doing a thorough erase on the drive you can buy a new one! If a council wants to be charitable with its old computers then go out and buy a new drive to fit into its old computers before it gives them away.

Hmmm....I wonder if I could get a US patent on this process?

Paris 'cos even she could manage to follow these instructions.

“Wiping data” may sound easy...

It's not hard guys:

1) Boot Linux CD

2) Open console F12

3) sudo -i

4) shred -f -v -z /dev/sda

If local authorities employed professionals instead of numpties this wouldn't happen.

So it's on a need to know basis?

Bernard Woolley: "I'm not sure I can do that, Sir Humphrey. It might be confidential."

Sir Humphrey: "Bernard, the matter at issue is the defence of the realm and the stability of the government."

Bernard Woolley: "But you only need to know things on a need to know basis."

Sir Humphrey: "I need to know everything! How else can I judge whether or not I need to know it?"

Bernard Woolley: "So that means you need to know things even when you don't need to know. You need to know them not because you need to know them, but because you need to know whether or not you need to know. And if you don't need to know you still need to know, so that you know there is no need to know."

Shamelessly stolen from http://www.yes-minister.com/ypmseas2a.htm

New Zealand

seems to have let the cat out of the bag:

http://www.security.govt.nz/sigs/

albeit it has been translated into Ozzy/NewZealandese so we Brits can't understand it.

Is that MI5 knocking on the door I wonder?

CESG

Well, in a little over 60 seconds of web browsing, I found that CESG stands for Communications - Electronics Security Group. It's in their web site, in the About Us - History section.

It's hardly "serious spook territory" if it's published on their web site!!

Oops, is that the sound of a black helicopter approaching ....

Perghaps you should speak to these guys

Who seem to have their erasing software accredited by CESG:

http://www.blancco.com/eng/home/

Aye it is

Yup at local level it's piss poor.

@ Nigel Callaghan - re: How difficult is this....?

Paris Hilton's Lawyer just called, apparently she just smacked her hand with a Lump Hammer and wanted a quick word with you.

You can't just hammer hard drives in big companies

Can everyone suggesting the hammer tactic for old disks please shut up.

It just isn't feasible in a large company. We probably get through a few hard drives per day, so someone needs to be pretty much employed purely for opening boxes removing disks and hammering them. They'll need training, career development, holiday cover as well as all the proper safety equipment etc.

And when you're finished, what standard can you say applies to that hunk of metal. If my disk hammerer has had an off day, there might be platters unbent.

As for the nuts suggesting "shred". Just how much spare hardware/time do you have that you can make a linux distro that runs on all possible storage types. I've got at least 4 different types of SCSI disk nearby with several different proprietary mounting brackets. Along with IDE/ SATA/ SAS disks and CDs, videos 3 different tape formats and an assortment of USB and other flash memory devices. (e.g. Cisco internal flash memory. They don't have a PC interface for those)

The only way to be sure is a big, expensive, industrial shredder chopping down to about 3-5mm squares. It should be capable of chopping steel, aluminium, paper, hands or whatever else gets dropped in. Or a blast furnace like device to melt it all down to slag, then mix the slag, then put it through a shredder.

Restricted

The Restricted classification gets added to pretty much everything. Even kids joining the Air/Army/Sea Cadets get to see stuff with 'Restricted' on it, i.e. basic security information and procedures. Stuff of higher classification ends up in The Sun newspaper anyway, so it'll be available somewhere.

Flames cos they could always burn the drives...

Don't worry...

We'll find out their methods soon enough, someone's bound to leave the documents on the train again.

Thermite the drives

Title says it all really.

Not so hard to find...

Here you are: http://apec.isu.edu/pdf/nzsit207.pdf

AC: Hammering hard drives

Even paying someone to open boxes and smash the HDDs is going to be a lot cheaper than £980,000 http://news.bbc.co.uk/1/hi/business/6360715.stm

re: You can't just hammer hard drives in big companies

I work in the education sector and we have over the last few weeks replaced about a hundred desktops and disposed of a handful of old servers. I know that's not a massive scale but it's not insignificant. In most cases Shred worked fine, with a few we had to use other tools and there were a dozen or so failed drives that had to be physical destroyed.

Yes it is a pain and it takes time but it has to be done*. Its the "too much time" attitude that cause these leaks.

*Think of the Children** :P

** Actually its people thinking of the Children that cause us to have to wipe everything :D

Not rocket science

A quick web search would turn up plenty of open-source apps that would do the trick, but I guess that would be far too simple. Besides, it's irrelevant that no standards exist regarding the best methods of wiping data, when most data losses occur without any attempt to delete the data having taken place. If the data was encrypted in the first place, it would be rather less critical whether it was securely wiped or not.

Err...

...write random crap over the disc a few times (3, 7, 20, whatever).

Or, just take the HDD out and have it destroyed.

Of course, sensitive data shouldn't be stored in the clear in the first bloody place!

Labour - Failing the British public one disaster at a time

Degaussers are cheap as chips

3 seconds on google led me to this:

http://www.mediaduplicationsystems.com/Degausser_Hard_Drive_Degaussers_s/103.htm

$7K - £3.5K - About the same as ONE DESKTOP PC - actually for a bank, one desktop is charged at about £15K/year.

Its so fucking cheap you should be locked up for not using one.

Its just the government/labour party is so in hock to (not to mention in the pockets of) big business they can't tell them anything otherwise they will call in all their loans.

Sick as a parrot cos the ICO are so fucking weak, and the government couldn't give a shit.

We use one of these.

10 - 15 seconds per drive,

Sorted.

http://www.screwfix.com/search.do;jsessionid=NLPXBGPLEPSSSCSTHZOCFFA?_dyncharset=UTF-8&fh_search=54072&x=0&y=0

Govenrment Data Protection Standards

There are standards within UK Government covering this area. As you mention CESG does develop guidance in this area and does make an effort to distribute it, for instance HMG InfoSec Standard No. 5 (Secure Sanitisation of Protectively Marked or Sensitive Information). This publication aims to provide guidance on the management of these issues and includes useful information on some of the technical pitfalls of devices such as solidstate data storage media, for instance data leveling and downgrading of storage circuitry during manufacture, e.g. classing a defecive 1GByte chip as a 512MByte device, making data held on the device invisible to the operating system and standard file deletion applications. These publications tend to be exempt from Freedom of Information legislation, but are available to UK Government bodies. The trouble is, there is an awful lot of information available, not all of it is easy to find and not everyone thinks to look for it. Disclosure requests from non-UK Government bodies should be directed to infoleg@gchq.gsi.gov.uk

Let the flames commence

As always happens, as soon as the article with "data loss" in the first paragraph appears, everyone jumps on the bandwagon - "they should do X", "they should use Y", etc. etc.

Policy is a great thing; but only if it is understood and adhered to; I'd bet that there are still a lot of organisations that have no policy, and in those that do, the majority of staff don't know about it. Even in those that do have a policy, and where the staff know about it, there's a fairly good chance that it's not actually followed that well.

In this case, the item may have been stolen, so policy on destruction of data wouldn't have mattered a great deal (where it's located would be more appropriate).

Add to that, a lot of policy may have been written 3-4 years ago (or more) and could possibly be out of date as the hardware / practices have changed.

It also should be pointed out that any process for disposing of equipment has to satisfy the WEEE directives amongst others.

We none of us work in splendid isolation; but it's clear that many people have limited understanding of the challenges that other people in the industry have to face.

CESG Standards

The CESG standards are already in the public domain. ComputerAid International use Blancco software which the charities website says.....

"Blancco is widely accepted as the industry-leading data destruction software. It was the first software to receive CESG-certification to InfoSec 5 standard and meets all recognised international data destruction standards, including standards set by the UK's Communications Electronics Security Group (CESG) and by the US Department of Defence."

Maybe the councils don't know that a charity exists that takes their old computers does all the wiping/data destruction and then puts them to good use.

******slaps head in frustration

Smashing hard disks, government style!

Step 1. Send disks to National Data Disposal Centre (second class post)

Step 2. Oh, hmm...

@AC "You can't just hammer hard drives in big companies"

Why not use Darik's Boot & Nuke then? perfectly capable of standardised industry and government requirements for secure data destruction, and cheap too (try free if you only swing that way).

And if you're going to whine about needing proprietary brackets and having 3 different kinds of everything, then you just waited too long to get rid of those things and should be sacked for negligence if you can't hook that kit up reliably any more!

Industry standard in many (if not all) business environments demands you replace your hardware every 4-5 years to avoid unnecessary downtime, you have had PLENTY of time to find a technically and financially feasible way to maul those data carriers at the end of that time frame.

destruction

Ive seen the lump hammer scenario in use, but no screwdriver, anyone with experience of doing this will know the platters shatter like glass when thumped correctly. Success can be detected by tipping said drive from side to side, and listening for a noise not unlike sand pouring around inside...

There is also some nice boyo's in welsh wales running a furnace called "Secure destruction", that send you nice red heavy duty bin sized bags, and for a set fee per sack, guarantee said bags are tipped into their blast furnace furnace under protective guard. Any magnetic media, used tape drives with buffer chips and anything else that can retain a magnetic memory of the data can be dropped into the red bags and get sent off for gov assured destruction. Its how some very sensitive equipment is sanitized.

There will be someone at the council who has clearance for looking at "restrictive" marked documentation. Or one would hope they have someone. I believe being sc and needing to know is the requirements for this, although restrictively marked documentation can be made available to a none sc cleared individual to read on a need to know basis, provided they cannot take said documents away with them.

Its just sloppy as they have the tools, and there is british doc's available to them via channels I am not at liberty to discuss, poor IT, endless quango's and the computer decisions being steered by someone who had a spectrum once when they were a spotty oik but is in favor with the councilors. Councils are always the lowest of the low on the talent ladder, because anyone with any real knowledge is off being a grabbing contractor for a proper company ;)

- A grabbing contractor ;)

(byeline) "If we tell you, we'd have to shoot you"

For Fuc*ks sake, then tell my mother-in-law...Christ-on-a-bike!

<gorrit already. I'm off to t' pub. Oh, I'm already there. Must be t' curtains.>

Crap, I live in Charnwood!

...errr....now of course thanks to the council everyone knows that already! Complete and utter thick b*stards.

I didnt see this mentioned in the "How we are doing" council brochure.

I suspect that most if not all councils around the UK have lost data - or at least could not say for sure whether or not data 'has left the building' illegally.

* = a

Paris, cos I reckon she would make a great IT Security Strategist!