Introduction

Top - Help
Copyright(c), 1996 Management Analytics - All Rights Reserved


Data remanence is the residual physical representation of data that has been in some way erased. After storage media is erased there may be some physical characteristics that allow data to be reconstructed. This document discusses the role data remanence plays when storage media is erased for the purposes of reuse or release.

Various documents have been published that detail procedures for clearing, purging, declassifying, or destroying automated information system (AIS) storage media. [1,2,4, 5, 6, 8,9,13 and 16] The Department of Defense (DoD) published DoD Directive 5200.28, Security Requirements for Automated Information Systems, [17] and its corresponding security manual DoD 5200.28-M, Automated Data Processing Security Manual, [1] in 1972 and 1973, respectively. These two documents were amended in 1979, in response to the Defense Science Board Task Force recommendation to establish uniform DoD policy for computer security requirements, controls, and measures. The directive was again revised in March 1988, and efforts are underway to revise the manual.

DoD 5200.28-M addresses DoD requirements for the secure handling and disposal of AlS memory and secondary storage media. While the Department of Defense requires the use of DoD Directive 5200.28 and DoD 5200.28-M by DoD components, the heads of DoD components may augment these requirements to meet their needs by prescribing more detailed guidelines and instructions provided they are consistent with these policies. DoD contractors and subcontractors who participate in the Defense Industrial Security Program (DISP) are required to comply with DoD 5220.22-M, Industrial Security Manual for Safeguarding Classified Information. [8] The Defense Investigative Service is responsible for the promulgation of the policy reflected in DoD 5220.22-M. Unlike these policy documents, A Guide To Understanding Data Remanence In Automated Information Systems does not provide requirements.

Sometime during the life cycle of an AIS, its primary and secondary storage may need to be reused, declassified, destroyed, or released. It is important that security officers, computer operators, and other users or guardians of AS resources be informed of the risks involving the reuse, declassification, destruction, and release of AlS storage media. They also should be knowledgeable of the risks inherent in changing the sensitivity level of AS storage media or of moving media from an installation with a specific security posture tone that is less secure. They should use proper procedures to prevent a possible disclosure of sensitive information contained on such media. ("Sensitive" in this document refers to classified and sensitive but unclassified information.) The procedures and guidelines in this document are based on research, investigation, current policy, and standard practice.

This guideline is divided as follows: Section 2 provides information on using this guideline and introduces DoD terminology. Section 3 discusses the use of degaussers and references the Degausser Products List (DPL), a listing of DoD evaluated degaussers. Section 4, "Risk Considerations," has information similar to that found in version 1 of this document, except for the modification of Section 4.2, "Effects of Heat and Age," and the addition of information on overwriting and degaussing. Section 5 addresses DoD endorsed erasure standards. Recently developed storage technologies and disk exercisers are discussed in Section 6. Section 7 addresses areas needing further investigation and provides references to additional information on the science of magnetics, as it pertains to magnetic remanence.

1.1 PURPOSE

The purpose of this publication is to provide information to personnel responsible for the secure handling of sensitive AlS memory and secondary storage media. (However, this guidance applies to any electronic or magnetic storage media, e.g., instrumentation tape.) This guideline provides information relating to the clearing, purging, declassification, destruction, and release of most AlS storage media. While data remanence is not a directly evaluated criterion of trusted computing systems, it is an issue critical to the safeguarding of information used by trusted computing systems and, as such, is addressed in thA5 National Computer Security Center (NCSC) guideline. The NCSC publishes this doAcument because the community using trusted computing systems has expressed the desire for this information. Additionally, readers should note that this is a guideline only and they should not use it in lieu of policy.

1.2 HISTORY

As early as 1960 the problem caused by the retentive properties of ASI storage media (i.e., data remanence) was recognized. It was known that without the application of data removal procedures, inadvertent disclosure of sensitive information was possible should the storage media be released into an uncontrolled environment. Degaussing, overwriting, data encryption, and media destruction are some of the methods that have been employed to safeguard against disclosure of sensitive information. Over a period of time, certain practices have been accepted for the clearing and purging of AIS storage media.

A series of research studies were contracted by the DoD to the Illinois Institute of Technology, Research Institute and completed in 1981 and 1982. They have confirmed the validity of the degaussing practices as applied to magnetic tape media. [19] Additional research conducted at the Carnegie-Mellon University using communication theory and magnetic modeling experiments designed to detect digital information from erased disks has provided test data on the erasability of magnetic disks. [11, 21, and 22] This work, along with DoD research that has not yet been released, provides the basis for the disk degaussing standard. More studies are planned or underway to ensure the adequacy of DoD degaussing standards.

On 2 January 1981, the Director of the National Security Agency assumed responsibility for computer security within the Department of Defense. As a result, the Department of Defense Computer Security Center (DoDCSC), officially chartered by DoD Directive 5215.1, was established at the National Security Agency. (3] The DoDCSC Division of Standards (now Division of Standards, Criteria, and Guidelines) was subsequently formed and tasked to support a broad range of computer security related subjects. The DoDCSC became the NCSC in 1985, as amended in National Security Decision Directive 145. [15] As part of its mission to ?guard? information useful for the secure operation of AISs, the NCSC published the Department of Defense Magnetic Remanence Security Guideline, which is version T of this guideline.