It’s one thing to say you were born on a specific date. But organisations, like banks, only believe it if you can produce a birth certificate.
A data erasure certificate is the same. When someone takes your business to court over improper use of data, the certificate will save your reputation.
If you’re considering using software for data erasure, read this article first. We discuss:
- The meaning of data erasure
- Why you need a data erasure certificate
- Some key terms used when describing data erasure
- Data erasure certifying bodies
- Other questions that are bound to strike you
What is a Data Erasure Certificate?
A Certificate of Data Destruction (CoD) is an audit document. It guarantees that the information in a digital storage device has been destroyed.
The standards for issuing a data erasure certificate are defined by various governing bodies whose pivotal role is to protect the private data of the people. So there are various standards that the destruction method should adhere to.
The certificate should also contain certain specific information for it to be auditable. Here are the various details that a data erasure certificate must contain:
- A unique identifier
- Information of the storage device erased - Model, brand, and serial numbers
- Information about the data erasure method used
- Name of the data erasure software (if used)
- Name of Technician performing data destruction or sanitization
- Signature of the official verifying the disposal process
- Details of verification method used
- Results of the erasure details along with a status note
Why Do You Need A Data Erasure Certificate?
A data erasure certificate acts as proof of data wiping. It’s as simple as that. It assures that the data was destroyed in compliance with the data destruction standards.
Here are the 4 key benefits of a Certificate of Data Destruction:
- Assures 100% data protection
Data sanitization is the last step in the lifecycle of data. A data erasure certificate ensures that the last step has been completed effectively. As a result, the possibility of data leakage is negated.
- Ensures compliance is met
Every business is governed by standards and policies for how it must manage data. The standards are legally enforced. Some areas of compliance are:
- The duration of how long the data can be held
- The manner in which the storage device must be destroyed
A CoD ensures that the required compliances are met.
- Proves data destruction
The certificate of destruction proves that the data destruction strategy followed approved methods. This, in turn, gives all stakeholders peace of mind that their sensitive data is managed appropriately.
- Abides by NIST Mandates
NIST Cybersecurity Framework is considered the golden standard for data protection. A CoD is a part of the NIST SP 800-88 mandates.
Some Key Definitions: Validation, Standards
When we were talking about Data Erasure Certification, you would’ve noticed we mention Data Erasure Validation. Though they may seem like similar concepts, data erasure validation is different.
Validation is given by a third-party organisation. Since they will have nothing to do with your organisation, a data erasure validation is considered a better proof of erasure.
We also mentioned data destruction standards.
Data erasure standards are the rules that an organisation must abide by in its data management policy. To be eligible for a data erasure certification, the organisation should follow the standards.
Data Erasure Certifying Bodies
Certificates of Data Erasure are awarded by various bodies. Some operate internationally while others are region-specific.
A certified data erasure software issues a data eraser certificate. But for them to be able to do so, the data erasure software should adhere to the standards set by the certifying body.
For example, to be ‘NIST-certified’, the software you use for data destruction must adhere to NIST guidelines. BitRaser, for instance, is an NIST-tested and approved data erasure software.
Here are some of the data erasure certifying bodies:
- Common Criteria (ISO 15408)
The Common Criteria validates that a product satisfies a set of security requirements. It was developed as a collaborative effort of 6 countries.
This is the French National Cybersecurity Agency. The agency proposes guidelines for the protection of information systems.
NYCE is a National Standardization Organization based in Mexico. It provides recommendations and certifications worldwide for various industries including telecommunications and IT. BitRaser is an NYCE-certified data erasure software.
NIST was founded in 1901 and is a part of the U.S. Department of Commerce. Its Guidelines for Media Sanitizations is considered the worldwide benchmark.
Here are some third-party validations and endorsement bodies:
Standardization Testing and Quality Certification (STQC) Directorate is a Government of India service. STQC is a third-party certification agency that provides quality assurance certificates for a variety of industries. BitRaser Drive Eraser holds an STQC certification.
ADISA is a certifying body that provides asset disposal certificates to organisations. The IT Asset Recovery Certification scheme focuses on asset recovery and media sanitization. The ADISA Standard 8.0 is approved by the UK Information Commissioner's Office. BitRaser is tested and certified by the ADISA Claims Test.
Ontrack is a data recovery and management business. It also provides Data Erasure Verification endorsements. BitRaser has an Ontrack endorsement.
Data Erasure Certification: A must, not a compromise
Using data erasure software that follows guidelines is one thing. But the software should be able to provide you with a document that verifies that data is erased.
And even if software generates this report, it may not stand in a court of law unless it is auditable. The tool you use should be validated and certified by data privacy governing bodies.
Having this document can save your business from litigation and give your product more trust among users.
Data Erasure Certification: FAQs
Proof of erasure or proof of secure erasure (PoSE) is a protocol followed by embedded devices. The certificate proves to a verifying party that all its writable memory has been overwritten.
The PoSE is used to ascertain that no malware exists in an embedded device.
Most data erasure methods rely on passes, i.e. the number of times the device is overwritten. The Gutmann Algorithm uses 35 passes to overwrite data in a device. Hence, it is considered one of the best.
Physical data destruction, like degaussing, is also a fool-proof method of destruction for magnetic tape devices. But, this renders the device unusable.
There are typically four methods of data sanitization – physical destruction, data masking, data erasure, and cryptographic erasure.
Physical destruction uses methods like shredding or incineration to destroy the device.
Data Masking is a method where the data is essentially faked. It includes character shuffling, word randomization, and word replacement. This makes the data encoded.
Data deletion is when you remove a file from a visible location on the device. SHIFT+DEL is an example.
Data erasure wipes the data from the storage media. Erasure aims to make the file unrecoverable. Overwriting is a form of data erasure.
A certified data erasure software is the best way to erase data from devices.