1.0 |
Identification Data |
1.1 |
BSP Number |
|
00017 |
1.2 |
BSP Title/Name |
|
Remove All Data from Workstations & Servers |
1.3 |
Version Number |
|
1.0 |
1.4 |
Adoption Date |
|
April 25, 2001 |
1.5 |
Approving Authority |
|
CIO Council Security Practices Subcommittee
(SPS) |
1.6 |
Responsible Organization |
|
United
States Agency for International Development (USAID), Bureau for Management,
Information Resources Management (M/IRM), Information Systems Security Team |
1.7 |
Level of BSP |
|
Candidate |
1.8 |
Security Processes or other
Framework(s) Supported |
|
Security Process Framework: SPF 2.6: Sanitize
storage media
NIST Special Publication 800-14,
Paragraph 3.4.6
|
1.9 |
Reserved |
1.10 |
Points of Contact |
|
Government BSP Owner: Yes, post this contact information with the publicly accessible BSP.
- James P. Craft, CISSP
USAID Information Systems Security Officer
Ronald Reagan Building
1300 Pennsylvania Ave.
Suite 2.12-032
Washington DC 20523-2120
Telephone No - 202-712-5460
Fax No. - 202-712-3053
E-mail jcraft@usaid.gov
Also: cassistance@usaid.gov
Vendor Partner:
Yes post this contact information with the publicly
accessible BSP.
|
|
|
2.0 |
What This BSP Does |
2.1 |
BSP's Purpose |
|
This BSP describes how USAID removes all data,
including sensitive but unclassified data, from PCs, workstations and servers that are
being moved to a less secure environment, or to a new project with different need-to-know
rules. This procedure has not been applied to National Security Classified (Top Secret,
Secret, Confidential) data. This procedure "sanitizes"
the equipment. That is, it removes all data, including sensitive data in organized files
and in unused disk space, in such a way that recovery will require highly sophisticated,
expensive and time-consuming methods not available to most intruders. These procedures
make treated equipment safe for reloading and use with unclassified or non-sensitive data
in an insecure environment. They remove the need to destroy media that previously held
sensitive files. |
2.2 |
Requirements for this BSP |
|
- USAID Automated Directive System section ADS
545.3.2.4.t states: "The IT Specialist/ System Manager and
designated Information System Security Officer (ISSO) must ensure that
sensitive magnetic storage media used on Agency systems are not removed
from U.S. Government controlled premises for maintenance, credit, or
sale unless all information on the media has been sanitized. If a fixed
disk (e.g., fixed disk, disk cartridge, or disk pack) cannot be returned
to the vendor for credit, the IT Specialist/ System Manager must ensure
appropriate security procedures are followed when returning the damaged
disk to M/IRM for destruction. Sensitive magnetic storage media used
on Agency systems must be overwritten using overwrite procedures approved
by the ISSO for USAID or degaussed with a magnet approved by the ISSO
for USAID."
-
Note: The parts of this Directive concerning storage media that
cannot be properly overwritten or degaussed before leaving U.S. Government control are
especially important. Regardless of current use, if a fixed disk has recorded sensitive
information at any time in the past, it must either be overwritten using this procedure,
degaussed using approved tools and procedures, or returned via trusted courier to the
central M/IRM facility for destruction. An unsanitized disk should never be removed from
Government controlled premises without proper authorization.
|
2.3 |
Success Stories |
|
These procedures have been used to remove all
traces of data from a variety of equipment being returned to service. Equipment includes
servers and workstations running all the common operating environments, namely UNIX,
Linux, Windows 9x and NT, and Banyan. All disks have been verified at the end of the
sanitizing process and found to have no recoverable data. |
|
|
3.0 |
What This BSP Is |
3.1 |
Description of BSP |
|
The procedures in this BSP have been used to
treat workstations being removed from USAID-controlled premises to other, uncontrolled
locations such as warehouses or transportation vehicles to distant missions. They ensure
that no sensitive data are exposed to unauthorized agents while the equipment is beyond
USAID control. |
3.1.1 |
Inputs |
|
- Disk hardware specifications for each type of equipment to be sanitized.
- Inventory of servers and workstations to be sanitized, identified by tag
or serial number.
- Disk wiping tools and associated users manuals (see 4.4 Tools)
- Disk manufacturers standard base-level formatting utilities, for
use in case the sanitizing procedure fails to access a partition with
manufacturer-specific protections enabled. (see 4.4, Tools)
- Permission-to-sanitize document for each
machine or group, signed by the responsible ISSO
|
3.1.2 |
Process |
|
Use the following procedures if the target
workstation or server might contain a remnant of information that no current users need or
for which they have no active access authorization. After sanitization, the target machine
will require complete reloading of the standard operating system and software applications
suite prior to reassignment. The reloading operation is outside the scope of this BSP. NOTE: After sanitizing, no normal disk rescue technique will be able to
retrieve any data or programs on this device. Therefore it is important to review machine
contents and remove all possibly useful data before sanitization takes place. The on-site
ISSO should issue a permission-to-sanitize document for each machine, certifying that this
review and removal have been done. After permission has been issued, perform the following
steps.
- Ensure that machine identity on the sanitizing certificate matches
identity tags on the subject machine. Initial the identity field on the certificate to
show that you have made this check.
- Prepare bootable floppy disks as instructed by the sanitizing utility
users manual. The sanitizing programs run in main memory, from floppy disks. Because
they destroy all data on a hard drive, they cannot be run from the hard drive.
- Perform the steps in section 3.1.2.1 or 3.1.2.2, depending on the
sanitizing tool in use, using the existing low-level partition formatting on the disk
- Verify that no data remain on the disk, using a text
search utility such as DiskSearch32 by New
Technologies Incorporated or Norton DiskEditorTM by
Symantec.
Perform the steps in Sections 3.1.2.3 or 3.1.2.4 for this procedure.
These utilities accesses the disk through the primitive functions in
the BIOS and bypass logical volume or partition formatting, which the
sanitizing operation has usually destroyed.
- If the text search utility finds no remaining data, proceed to Step 8. If
the text search utility finds readable data, perform Steps 6 and 7.
- A readable data residue has been found after sanitizing.
Using the disk manufacturers proprietary formatting utility, for
example Seagate Seatools,
reformat the disk at the lowest level. Set the formatter to remove all
logical partitions, including those reserved for special functions such
as Boot or Maintenance Sectors.
- Return to Step 3 and proceed as directed.
- When no residual data can be found, initial the permission-to-sanitize
document, showing that the process is complete. Return the sanitized machine(s) to their
owner(s) and collect a signed receipt for each, showing the machine inventory number(s),
responsible owner(s) and date of return.
- Make a final report enclosing the permission-to-sanitize documents
listing the machines sanitized and noting any abnormal events during the process.
- Attach signed return receipts to the final report, showing disposition of
the sanitized machines.
|
3.1.2.1 |
Norton - WipeInfo: |
|
The Norton WipeInfo utility is a component of
Norton Disk Utilities, Release 4.0:
- Boot the computer from the A:\ disk drive in DOS mode.
- Insert the floppy disk with the WipeInfo utility, and ensure that
A:\ is the current primary drive. Note: Booting from the A:\ drive should make it
the primary device until changed via keyboard input. This step simply ensures that the
machine is following standard rules.
- At the A:\> prompt, enter wipeinfo from the keyboard.
-
WipeInfo signs on. At the Main Menu screen use the Tab key to
select the Configure sub-menu.
- Using the Space Bar, select the Government Wipe option.
- Tab to the other settings on the Configure menu and confirm that WipeInfo
is configured to overwrite 3 times for sensitive but unclassified data.
- Tab to the Save Settings option and use the Return key to select enter.
- Return to the Main Menu screen and select the Drives
sub-menu.
- Use the Space Bar to highlight the drive to be cleaned (c:, d:, etc.).
You will see a check mark by the drive once it is selected. (Note: Do this
process for each drive present.)
- On the Drives sub-menu, confirm that the Wipe Entire Drive
option is selected
- Select OK with the Enter key. This will return you to the Main
Menu.
- On the Main Menu, confirm the process by selecting Wipe with
the Enter key.
- Sanitizing of the selected hard drive proceeds. When the process
completes, repeat steps 8 through 12 for each additional drive present.
- When all drives are sanitized, sign and date the sanitization certificate
for the subject machine to show that the process has been done.
|
3.1.2.2 |
New Technologies
Incorporated - ScrubTM |
|
- Boot the computer in DOS mode.
- Insert the floppy disk with the Scrub utility.
- At the A:\> prompt, enter scrub /d:all/p:3/g Three is the
standard number of passes for sensitive-but-unclassified data.
- When Scrub ends, sanitizing of the selected hard drive(s) is
complete.
- Sign and date the sanitization certificate for the subject machine to
show that the process has been done.
|
3.1.2.3 |
New Technologies
Incorporated DiskSearch32 |
|
This utility verifies that no readable data
remain on the disk after the sanitize operation.
- Use a bootable floppy disk to boot the server or workstation in DOS mode.
At the A:\> prompt, insert the DiskSearch32 utility disk.
- Type DS32 and press ENTER.
- At the licensing and version information screen, press the ENTER key to Continue
or use the right arrow key to move to the Quit key.
- At the main menu screen, use the ß à arrow keys to move between
pull-down menus. Press ENTER to pull down a menu. From the Drive pull-down menu use
the up/down arrow keys to select the drive you wish to search. Press ENTER to confirm the
selection.
- From the Source pull-down menu select the "File" option.
This selection directs DiskSearch32 to accept a keyword string from a floppy disk file and
record results on another floppy disk file. Note: For this search, any readable
ASCII character except the one selected for "fill" during the wipe operation is
of concern. Presence of non-fill characters indicates that the wipe operation has missed
part of the disk and will need to be repeated for the indicated sectors, after the disk
has been reformatted at the lowest level.
- From the Options pull-down menu use the TAB key to highlight
options and the ENTER key to toggle menu items on/off. Under the "Outputs"
options, select the location where you want the text output to appear ("File" is
recommended for most users). "Other options" allows you to select sound alarm
features and "Skip System Area" allows you designate areas of the system that
you want your search to bypass. The bypass feature will not operate on a disk that has no
defined partitions. Tab to OK and press ENTER to set your configurations.
- When selecting the Begin pull-down menu, a prompt will appear
asking you for the name and path of the keyword search file. At this point press ENTER and
the default list will appear in the Search Definition Window, where you may edit the list
or change the accuracy setting (the default setting is 100%). Do not set this value below
50%, because the search results become too vague and generic to provide useful output. If
you have not created a keyword search list, you may do so at this time in the Search
Definition Window. Make a list that includes the individual letters, (except for the
letter used as the "fill" character, if that sanitization option has been
chosen) numbers and commonly used special characters such as period, comma, backslash and
parentheses. It is recommended that you give your search list an eight-character DOS text
name that matches the name of the system that you are searching (e.g., A:\AFR.TXT). After
creating a new list, tab to Save to disk and type the file and path name of the
saved file at the prompt. (Remember to direct this file to the A-disk; the hard disk is
not formatted for data.) Otherwise, tab to the OK button at the bottom of the window and
press ENTER.
- A prompt for a search output file name and path will appear. Remove the
DiskSearch32 utility disk from the floppy drive and insert the disk on which you are
saving the search output files. Enter the file and path names of the search output file.
Again, choose a name that matches the name of the drive or system being searched (e.g.,
A:\AFRSRVR1.TXT. Note: Search text output file names must
differ from those of the associated search keyword list file names). Press ENTER
to begin the search.
- The End-of-Search dialog box will appear when the search is complete.
Press OK to end the search and return to the main menu. Since there are no other logical
disk partitions to search, tab to the Quit pull-down menu and press ENTER to exit
to the DOS prompt. Remove the search output text disk from the floppy drive.
NOTE: Search process will hang if output disk is removed
while search is in progress. If the search output disk fills to capacity before search is
complete, simply replace the disk and press OK to resume.
- Use the NotePad utility to see if there are any readable contents
reported in the search output file. It should be empty when a sanitized disk has been
searched. If it contains entries, repeat main procedure Step 6 until DiskSearch32 finds no
readable characters on the sanitized disk. Note: Utility GREP32 may be used to scan
for specific character strings in the search output file.
|
3.1.2.4 |
Symantec Norton
DiskEditorTM |
|
This utility verifies that no readable data
remain on the disk after the sanitize operation.
- Reboot the target system in DOS mode. Insert the DiskEdit diskette into
the system floppy drive.
- At the A:\> prompt, type diskedit. A dialog box will appear in
front of the main menu screen informing you that the program is in "Read Only"
mode and that you should got to the Configuration option of the Tools pull-down
menu to enable the program in "Write" mode. Press OK with the ENTER key. Use the
ESC key to exit a dialog box or option at any time in this program.
- At the main menu use the ALT key to access the pull-down menu bar.
Proceed to the Tools menu (use the down-arrow key to open the menu) and select Configuration.
- Press the space bar to deselect the Read Only option. Tab down to
the Save button and press ENTER. This will save your configuration update. Press OK
when the message box informs you of the save.
- From the Object pull-down menu, select Drive. In the drive
selection dialog box, select the drive to be inspected for data. Tab to the Type dialog
box and use the space bar to select the Physical disks type. Tab to OK to save your
selections.
- From the Object pull-down menu, select Physical Sector.
Using your Search Text Output file as a reference, enter the following physical sector
location data for the partition you wish to access and edit:
Toggle to the OK button and press ENTER. For the sector number you may
wish to enter a value less than that listed on your Search Text Output in order to find
the beginning of the data area.
- The sector you selected will probably appear as a hexadecimal
display. To change this to readable text, go to the View pull-down menu and select
the as Text option.
- You should see no readable text in this view. If readable text
other than the optional fill character appears, exit DiskEditorTM and return to
main procedure Step 6.
Note: Norton DiskEditorTM has an optional sanitizing capability, which
can be selectively applied to a particular file identified by its physical disk address
parameters (Cylinder, Side and Sector values). This BSP does not use the sanitizing
function.
- To select a new disk drive for inspection, return to the Drive
option on the Object pull-down menu.
- When you have completed all desired inspection, select Exit
from the Object menu. This will return you the DOS prompt.
|
3.1.3 |
Outputs |
|
- Project after-action report, listing
the machines treated and any deviations from the standard process.
- Signed permission certificates
- Sanitized machines or signed receipts for their return to owners.
|
3.2 |
Relationship to Other BSPs |
|
A future BSP dealing with forensic investigation
procedures will call for a disk sanitizing sub-procedure. This procedure may be used. As other BSPs, for instance those dealing with procedures for accessibility
controls and need-to-know rules, are added to the library, new relationships will be
identified. |
|
|
4.0
|
How To Use This BSP |
4.1 |
Implementation Guidance
|
|
-
Caution: Be sure that all possibly useful data has been removed from the
candidate machines before performing the sanitization process. Nothing intelligible
will be left on the treated disk drives at the end of the procedure.
- This process may be carried out either in a workshop or at a users
desk. The required tools include a disk for the sanitizing utility and a container
(envelope, clipboard, etc.) for the permission certificates. These are easier to carry
than a group of workstations, but if there is another reason to clear the office space the
sanitization may be done at a central location.
- The existing workstation operating system does not matter to a sanitizing
process. Sanitizing destroys all programs and data and a fresh software suite (disk
format, file system, operating system and applications) must be loaded before the machine
can be used again.
- The New
Technologies, Inc. Scrub utility is easier to use on machines
equipped with more than one logical hard disk drive, when the task is
to clear all data. One initiation sequence can specify that "all"
drives must be sanitized, and the program proceeds from there. The Norton
WipeInfo or DiskEdit utilities are preferable if only
portions of a machine must be cleared.
- Using batch script files can speed the job and reduce operator errors.
- Depending on the accessibility of the workstations, doing several
sanitizing operations in parallel can save time. A separate kit of floppy disks will be
needed for each operation. The disks must remain installed in the subject workstations for
the duration of the process.
|
4.2 |
Implementation Resource
Estimates |
4.2.1 |
Personnel |
|
Contractor Technical Personnel:
- Salvage data:One, Full Time (see NOTE)
- Initiate sanitization operations: One, Part Time.
- Program run time: See Section 4.2.2. Technician intervention
is required as noted. Longer run times are associated with network file servers having
multiple disks to be sanitized.
-
NOTE: The local ISSO must decide whether the contractor or a USAID
staff person should perform the data salvage task.
Contractor QA Personnel: One, Part Time, 0.25
staff-hours (Verify technical approach, record keeping and results)
USAID Affected Organization: One, Part Time, 1 to 3 hours per
workstation (if ISSO decides that a USAID staff person should salvage useful data)
USAID Office of Security: One, Part Time, 1 - 2 hours (designate
workstations, prepare sanitization certificates, specify data to be salvaged)
USAID Facilities Management: One, Part Time, 0.5 1 hour
(guide Contractor to selected workstations or gather workstations into the shop)
USAID IRM: One, Part Time, 0.5 hour (POC
for Contractor) |
4.2.2 |
Time |
|
Total time requirements may vary depending on
the volume of data to be salvaged from each workstation and the number of workstations
treated in parallel. Times are given for one workstation.
Stage |
Average Duration per
Workstation |
Preparation |
- Select workstations, prepare certificates: 0.3 hours.
- Salvage useful data: 1 to 3 hours.
|
Execution |
- Operator starts sanitize utility: 0.25 hours.
- Sanitize utility run time: 2 hours per drive.
|
Wrap Up |
- Gather certificates, prepare final report: 1 hour per task
- Total staff time, 1.25 to 3.25 hours per workstation plus 1 hour for
report
- Total program run time, 2 to 9 hours per workstation
|
|
4.3 |
Performance Goals and
Indicators (Metrics) |
4.3.1 |
General Goal: |
|
Assurance that equipment returned to service
after processing sensitive but unclassified data will not compromise that data. |
4.3.2 |
Performance Goal: |
|
Ensure that sensitive but unclassified data no
longer exists on target machines. |
4.3.3 |
Performance Indicators: |
|
- Sanitized workstations are seen to have no useful data on their hard disk
drives.
- Technician reports that all procedures completed successfully.
- Technician reports that one or more procedures terminated abnormally.
- Time required to perform all procedures.
- Quality Assurance review
|
4.4 |
Tools |
|
The following software tools are capable of
performing the sanitizing task.
The following software tools are capable of inspecting a newly sanitized
hard disk drive to ensure that no readable data remains on it.
|
4.5 |
Training Materials |
|
Not used |
|
|
Appendices |
A |
Executive Overview and
Briefing |
|
None available |
B |
Reference List |
|
None at this time |
C |
Procurement Information |
|
USAID has contracted for general
IRM support with CSC under the Agency's Principal Resource for Information
Management Enterprise-wide (PRIME) contract (GS00K96AJD0012) with FEDSIM.
USAID obtains its information system security support from CSC under the
PRIME contract using the Performance Work Statement (PWS) at AppendixC.doc
Norton
Disk Utilities, Release 4.0, is available commercially. Norton DiskEditor
is part of the SystemWorksTM
utility suite.
Products from New
Technologies, Inc. are listed in the General Services Administration
catalog.
|
D |
Evaluation Information
|
|
Not yet evaluated |
E |
Recommended Changes
|
|
None applicable |
F |
Glossary |
|
None applicable. |