4. Risk Considerations

Top - Help
Copyright(c), 1996 Management Analytics - All Rights Reserved

Many risks should be considered when reuse or release of AIS storage media is anticipated. AIS security personnel, operations personnel, users, and other designated responsible persons should be aware of these risks before attempting to declassify or make any decision to release storage media.


The risk of compromise of sensitive data increases when AlS storage media is released for any reason outside of the controlled environment. Personnel should consider the media's destination when evaluating this risk.


Version 1 of this document reported that magnetic media stored for either an extended period of time or under high temperature conditions (120 degrees Fahrenheit or greater) becomes more difficult to degauss or erase. Additional research is in progress to validate the effects of heat and age on the erasure process. [14]


Some of the early disk drives required manual alignment of read/write heads. The effectiveness of an overwrite on this technology base may be reduced because of equipment failure or mechanical faults, such as misalignment of read/write heads. Hardware preventive maintenance procedures should be done on schedule, and records should be maintained in an effort to prevent this problem.


A compromise of sensitive data may occur if media is released when an addressable segment of a storage device (such as unusable or "bad" tracks in a disk drive or inter-record gaps in tapes) is not receptive to an overwrite. As an example, a disk platter may develop unusable tracks or sectors; however, sensitive data may have been previously recorded in these areas. It may be difficult to overwrite these unusable tracks. Before sensitive information is written to a disk, all unusable tracks, sectors, or blocks should be identified (mapped). During the life cycle of a disk, additional unusable areas may be identified. If this occurs and these tracks cannot be overwritten, then sensitive information may remain on these tracks. In this case, overwriting is not an acceptable purging method and the media should be degaussed or destroyed.


Overwriting is an effective method of clearing data. In an operational system, an overwrite of unassigned system storage space can usually accomplish this, provided the system can be trusted to provide separation of system resources and unauthorized users. For example, a single overwrite of a file (or all system storage, if the circumstance warrants such an action) is adequate to ensure that previous information cannot be reconstructed through a keyboard attack. Note: Simply removing pointers to the file will not generally render the previous information unrecoverable. Software used for clearing should be under strict configuration controls. See A Guide to Understanding Configuration Management in Trusted Systems for additional information on this subject. [7]


The DoD has approved overwriting and degaussing for purging data, although the effectiveness of overwriting cannot be guaranteed without examining each application. If overwriting is to be used in a specific application, software developers must design the software such that the software continues to write to all addressable locations on the media, in spite of intermediate errors. All such errors in usable sectors should be reported with a listing of current content. In addition, unusable sectors must be completely overwritten, because the unusable sector list will not show whether the sector ever contained any sensitive data. If any errors occur while overwriting or if any unusable sector could not be overwritten, then degaussing is required.

There are additional risks to trusting overwrite software to purge disks. The environment in which the software must operate is difficult to constrain. For this reason, care must be exercised during software development to ensure the software cannot be subverted. The overwrite software should be protected at the level of the media it purges, and strict configuration controls should be in place on both the operating system the software must run under and the software itself. The overwrite software must be protected from unauthorized modification. [7]


Leased equipment containing nonremovable magnetic storage media should not be returned to the vendor unless the media is declassified using an approved procedure. Problems may be encountered obtaining warranty repair service or returning the equipment at termination of lease. Contractual maintenance agreements should address the issue of degaussed media and its effect on equipment warranties.


Proper purging is especially important in relation to maintenance, whether routine or not. Purge procedures should be conducted and the device declassified before uncleared personnel undertake maintenance actions. If purging is impractical, prohibitively expensive, or could destroy the device, then precautions should be taken to reduce the threat to sensitive information on the device. Maintenance actions should be observed by an individual who has been provided with guidance so that improper actions can be discerned and unauthorized disclosure can be prevented.

If test and diagnostic equipment (T & DE) is used on an AIS that has not been purged, there is a possibility that the T & DE can capture sensitive information. To prevent unauthorized disclosure, the T & DE should either be purged after use or remain safeguarded at the highest level of information resident on the AIS.

For example, if a sensitive disk drive is serviced, the escort official should know that the maintenance person is not allowed to remove the damaged disk from the facility. The escort also should be capable of identifying when a maintenance person has altered the protective characteristics of the device.


AlS storage media may have contained information so sensitive that authorities decided to never allow declassification of the AlS or its storage media. Examples of such sensitive information are communications security (COMSEC) information marked CRYPTO or Single Integrated Operational Plan (SlOP) information. In these cases, the holder of the media should not attempt to declassify or release the media except as directed by proper organizational approving authorities. [9] Destruction may be the only alternative to indefinite storage of such highly sensitive media.


Although degaussing is the best method for purging most magnetic storage media, it is not without risk. Degaussers can be used improperly. For example, the media may be removed before the degaussing cycle is complete. Also, degaussers can fail or have a reduced capability over time. Good degausser design can alleviate much, but not all, of this risk. This risk can be mitigated by periodic testing (see Section 3.5, "Degaussing Equipment Failure").

Mistakenly using a Type l degausser to purge Type ll tape is another risk. Type I degaussers cannot purge Type ll tape. Magnetic tape should have a label applied to the reel that identifies the coercivity of the media, because coercivity cannot always be distinguished by physical appearance. Strict inventory controls should be in place to ensure tapes can be identified by type so the correct purge procedure is used. If type labels are used, they should not be removed from the reel unless the tape is cut from the reel or the reel itself is destroyed. Labels that show classification should not be removed from the reel until the media is declassified. See Section 3.3, "Labeling Tapes," for more information about labels.