(Note: You may click on each document listed below to link to a page containing only that document. For any problems or questions, contact Dave Bickel at (410) 767-5219 or via email at bickeld@MDH.state.md.us )
Data Remanence Protocol Related Documents
Implementation Memo - Issued by IRMA Director; subsequently, Deputy Secretary, Operations
About the Protocol for the Disposition of MDH Computer Equipment, Associated Magnetic and Other Data Storage Media, and Data Remanence Explanatory document.
Certification of Data Remanence Eradication - A control document. To be used by MDH staff to certify protocol was used on specific machines. Kept on file by MDH GSA or unit property officer.
How to Use the Data Remanence Risk Management Matrix- Explains how to determine risk exposure and assists users to select and apply appropriate eradication measures.
IRMA Approved Data Remanence Eradication Software & Hardware List - A listing of IRMA approved software and hardware for use with the MDH protocol. This listing provides items, estimated pricing, and contact information for eradication software and light-and continuous-duty hand-held degaussing equipment.
MDH Data Remanence Risk Management Matrix: Based on DOD 5220.22-M (NISPOM 8-306) modified for MDH for use 98 JUL - IRMA
Protocol to Eradicate MDH Data Remanence - A step-by-step check list that guides the user through each stage of the protocol, and assists to document the process.
Memorandum of Understanding - Sample memorandum of understanding to comply with this Protocol that is required to be concluded between MDH and local Health Departments and their County Boards of Health, non-State entities, and/or vendors, with modification as necessary, for continued access and use of MDH data.
MEMORANDUM
TO: Administration Director's, Facility Managers, Local Health Officers
FROM: Asa Frost, Director, Information Resources Management Administration
RE: Disposition of MDH Computer Equipment, Associated Magnetic and Other Data Storage Media, and Data Remanence
Date: November 2, 1998
This memo places into effect immediately a mandatory Protocol for the Disposal of Computer Equipment and Associated Magnetic and Other Data Storage Media in MDH. Please provide copies to your technical staff, and your Property Accountable Officer.
On June 26, 1998, Mark Puente, Deputy Secretary for Operations, issued a moratorium on the disposal of these materials until such a protocol could be implemented.
IRMA prepared the protocol and attached documentation with guidance from a MDH Computer Emergency Response Team (CERT). The team was composed of key technical staff across the Department as a routine proactive measure to avoid possible data disclosure due to incomplete erasure of information on MDH computers, their associated magnetic and other storage media.
The protocol provides simple instructions for adequate eradication of data on these systems, establishes a contact person in every administration, provides a form to the certify compliance, recommends special eradication software and hardware, gives specific directions on this type of property disposal practice, and establishes an on-going training and continuous quality improvement and a spot-check program.
Starting now, IRMA and the General Services Administration will coordinate and support a comprehensive eradication and disposal process. IRMA will provide a list of approved eradication software and hardware that you can purchase, and explicit directions on how to implement this protocol. A series of briefings and specific training will be made available to assist staff in administrations, facilities, and local health departments to better understand the risks associated with Data Remanence, and how to implement the protocol within local units. IRMA will continue to do CQI spot-checks, and assure the protocol is followed.
When your staff is prepared to implement the protocol, you may resume the disposal process. If you need more information, please contact David Bickel at (410) 767-5219 or E-mail bickeld@MDH.state.md.us .
Because Data Remanence is a complex issue, I request that you review your current policies, procedures and protocols, and promote changes where necessary to assure adequate safeguards are in place. Please include a review of contractual language and obligations to ensure protection of MDH data on vendor-based, or vendor-owned, equipment when that equipment is sent to disposal. County Health Departments and applicable non-State entities will be requested to complete agreements stipulating their adherence to this Protocol. Additionally, off-site and on-site vendor-based maintenance procedures must also be reviewed to assure precautions are taken if sensitive information is present on the device when under repair.
Thank you for your cooperation with these measures.
Cc: Dr. Benjamin, B. Shipnuck, M. Puente
Attachments
MEMORANDUM
TO: Program Directors
Facility Directors
Local Health Officers
FROM: K. Mark Puente, Deputy Secretary for Operations
RE: Disposition of MDH Computer Equipment, Associated Magnetic and Other Data Storage Media, and Data Remanence
Date: April 7, 1999
On November 2, 1998, the mandatory 'Protocol for the Disposal of Computer Equipment and Associated Magnetic and Other Data Storage Media in MDH' (Protocol) was implemented. The attached Protocol is intended to help us avoid inadvertent disclosure of data or information due to incomplete erasure of our computer systems magnetic and other storage media.
Recent spot-checks and quality reviews have disclosed that MDH units continue to send to disposal computers that have not been adequately erased.
THIS IS A SERIOUS CONCERN. Federal laws and regulations, the Maryland Executive Order 01.01.1983.18, and MDH policies mandate that these steps be taken to assure the continued privacy and confidentiality of the data and information of our citizens, our operational units, and the Department . Disciplinary actions, up to and including termination from State service, as well as possible civil and criminal actions, are the proscribed penalties for failure to comply with these requirements.
We are re-issuing this Protocol to further assure notification throughout the Department, and to again request your compliance with this protocol.
The attached protocol provides simple instructions for adequate eradication of data on these systems. IRMA and the General Services Administration will continue to coordinate and support this comprehensive eradication and disposal process. Equipment sent to disposal without the accompanying completed documentation will not be accepted, and will be returned to the originating unit for compliance. IRMA will continue to do CQI spot-checks, and assure the protocol is followed.
Please provide a copy of the attached Protocol to your key staff who will be charged with completing it. If you need more information, please contact Mr. David Bickel, MDH State Data Security Coordinator at (410) 767-5219 or E-mail bickeld@MDH.state.md.us .
Because the eradication of lingering electronic information (Data Remanence) is a complex issue, I request that you review your current procedures and protocols, and promote changes where necessary to assure adequate safeguards are in place. Please include a review of contractual language and obligations to ensure protection of MDH data on vendor-based, or vendor-owned, equipment when that equipment is sent to disposal. County Health Departments and applicable non-State entities are requested to complete agreements stipulating their adherence to this Protocol. Additionally, off-site and on-site vendor-based maintenance procedures must also be reviewed to assure precautions are taken if proprietary or protected information is present on the device when under repair.
Thank you for your cooperation with these measures.
Attachment
Cc: Martin P. Wasserman, M.D., J.D.
Georges Benjamin, M.D.
Joseph Millstone
About the Protocol
for the Disposition of MDH Computer Equipment, Associated Magnetic and Other Data Storage Media, and Data Remanence
October 1998
What it Does: This protocol directs and assists MDH employees to determine the level and type of sanitizing procedures appropriate to be used on magnetic and other data storage media used to store sensitive information.
Why Was It Prepared? It was prepared as a proactive approach to avert possible data disclosure due to incomplete erasure of MDH data storage media.
When Is It Used? It is to be used whenever computer equipment and the associated fixed or removable media is transferred from one organization to another, when equipment is declared surplus, and when organizations dispose of media. A complete list of the types of media covered under this protocol and the methods to sanitize them is contained in the MDH Data Remanence Risk Management Matrix attached to this document. Sanitizing means the removal of data from storage media so that the data cannot be retrieved.
Where Did It Come From? The protocol was developed by a MDH technical team and IRMA staff, and is based on best practice standards outlined in two federal government security computing publications. (1)The FIRMR Bulletin C-22 on the security and privacy of federal information processing resources, issued by the General Services Administration on September 18, 1992, and (2) the National Computer Security Center's A Guide to Understanding Data Remanence in Automated Information Systems, (NCSC-TG-025, Library No. S-236, 082, Version 2) which provides specific technical guidance. Additionally, DOD 5220.22-M was used to prepare the risk management matrix.
What Are Covered? Devices addressed in this protocol include fixed and removable hard drives, cartridge and open reel tapes, floppy disks, and all other associated magnetic or optical storage media. This includes machines and/or media located at headquarters sites, local health departments, and facilities. It also includes machines and/or media owned or placed at vendor or partner sites for the purpose of conducting business, or when those units are being serviced. As a regular course of business, computers should be labeled in a way that discretely, but positively, identifies that client-level data (as defined in the Health Insurance Portability and Accoutability Act of 1996 (HIPPA) Public Law 104-191) is present, or has been present, on the unit. This distinctive marking helps to prevent improper handling, but must be removed prior to disposal.
Who Does the Work? IRMA will provide recommendations on the necessary software, hardware, and other material needed to carry out these directives. As necessary, IRMA will train your key staff and provide technical assistance. Your staff will be responsible for administration of this protocol on machines under their jurisdiction. IRMA will continue to do a CQI spot-check program.
Documentation & Certification: A certification document is included in the protocol. This form requires the signature of your unit's Property Accountable Officer and the technician or staff conducting the protocol. The form describes each item, provides for a listing of state property and serial numbers, and directs the level of eradication deemed necessary for each unit. It also serves to verify that the approved protocol has been run on each unit. A label is required to be placed over the floppy and other removable-media drive slots to prevent any loading of software, to indicate the unit has passed through the protocol, and must state if the unit is not operational at the time of disposal.
Who To Contact With Questions: Contact IRMA at 410-767-6830 if you have technical questions or concerns. Other questions concerning the actual property should be made to your unit Property Accountable Officer.
Certification of Data Remanence Eradication
OCTOBER 1998
ITEMS COVERED: Use this form for disposing of personal or other computing equipment that contain magnetic data storage media, this form must be completed and accompany the devices.
ITEMS EXEMPTED: Other data storage media such as floppy disks, removable magnetic, and other data storage media can be sanitized and/or destroyed using the MDH protocol, but are not to be listed on this form.
The materials listed on the reverse of this form are required to be disposed of in a manner consistent with DGS and MDH guidelines. Please contact your Property Accountable Officer, or call Information Resources Management Administration (IRMA) at 410-767-6830 to determine the process that your unit follows as of August 1998. These materials cannot leave your unit's custody, be disposed of by any other means, including donated, sent to surplus or destroyed, without first going through this protocol. Central office units, facilities, and local health departments are responsible for assuring compliance with this directive.
Please provide the following information-
Unit Name:____________________________________________________________________
[ ] Administration [ ] Facility [ ] Local Health Department [ ] Other, ____________________
Date Completed: ________________ Person Preparing this form: _______________________
Contact Telephone and Email:________________________ ___________________________
Property Accountable Officer Certification
I certify that the equipment and related magnetic and/or other data storage media listed below have been processedusing the Protocol to Eradicate MDH Data Remanence
_____________________________ Property Officer or Responsible Staff
Date:______________
Technical Certification
I certify that the equipment and related magnetic and/or other data storage media listed below have been processed using the Protocol to Eradicate MDH Data Remanence
_____________________________ Technician or person(s) administering the protocol
Date: ______________
(PLEASE LIST ALL MATERIALS FOR DISPOSITION ON REVERSE SIDE OF FORM)
Certification of Data Remanence Eradication
Date:________________ Page ___ of ____ pages
MDH Unit Name:___________________________________
PLEASE NOTE: List only personal computers or other computing equipment with internal magnetic storage media .
Equipment processed in this batch: (Example given in first row) List all units separately.
Item # |
Item Description |
MDH Serial # |
Manufacturer's Serial # |
Extent of Eradication To Be Used
and other comments |
1 |
IBM Model 50 386 |
99999999 |
IBM99999999 |
(D, F) has two hard drives |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Please make copies of this form as needed.
How to Use the MDH Data Remanence Risk Management Matrix:
'Protocol for the Disposition of MDH Computer Equipment, Associated Magnetic and Other Data Storage Media, and Data Remanence
October 1998
Purpose: This protocol and associated MDH Data Remanence Risk Management Matrix (see attached) instructs users how to identify the appropriate method which should be used to sanitize data storage media. These media include fixed and removable hard drives, cartridge and open reel tapes, floppy disks, and any other associated magnetic or optical storage media. The matrix provides a staged, incremental process to assure the level of protection is equal to the assigned risk.
Using the matrix, consult with the device user and/or supervisory personnel to select the least extensive method that is consistent with the assigned risk. These can be used singly, or in combination to assure adequate sanitizing.
RISK Assignment: The level of risk that determines the extent of sanitizing are divided into two categories: (1) Equipment that has never contained client-level data, and is being moved inside the Department, and (2) devices that have included client-level data at some time, and are being transferred internally, or being disposed of outside the Department. As a regular course of business, computers should be labeled in a way that discretely, but positively, identifies that client-level data is present, or has been present, on the unit. This marking must be removed prior to disposition.
Three extents of sanitizing are outlined in the matrix. These include:
(1) Erasure by Overwriting the data
(a) use of 'FORMAT and FDISK' to assure reasonable eradication of the data contained on the hard drive, and
(b) use of an IRMA-approved 'software-overwrite' program that provides a higher level of eradication;
(2) Erasure by Magnetic Field
Use a demagnetization (degaussing) process to assure the next higher level of protection;
(3) Destruction
Physical destruction of the media to assure the highest level of unrecoverability.
NOTE: DGS requires indication if a unit is not operational, and why i.e. 'hard drive removed or damaged.' This should be marked on a label that is to be placed over floppy or other removable media openings after sanitizing.
Responsible Staff: Your staff will be responsible for administration of this protocol on machines under their jurisdiction. IRMA will provide recommendations on the necessary software, hardware, and other material needed to carry out these directives. As necessary, IRMA will train your key staff and provide technical assistance. IRMA will continue to do CQI spot-checks, and administer the protocol.
Property Accountable Officer: These materials are required to be disposed of in a manner consistent with DGS and MDH guidelines. Contact your Property Accountable Officer, or call Information Resources Management Administration (IRMA) at 410-767-6830 to determine the process that your unit follows as of October 1998. These materials cannot leave your unit's custody, be disposed of by any other means, including being donated, sent to surplus or destroyed, without first going through this protocol. Computers and media not yet processed according to these guidelines should remain under secure storage. Central office sites, facilities, and local health departments are responsible for assuring compliance with these directives. This responsibility extends to any entity that uses, or has access to, MDH data and/or information. For these entities, a written, agreement is required between them and MDH that assures compliance with all requirements of this Protocol. This may be in the form of a separate memorandum of understanding, or appropriate language may be included in existing contracts.
IRMA APPROVED DATA REMANENCE ERADICATION
SOFTWARE & HARDWARE LIST:
'Protocol for the Disposition of MDH Computer Equipment, Associated Magnetic and Other Data Storage Media, and Data Remanence
Updated December 1998
Currently Approved Eradication Software
Type |
Manufacturer |
Model |
Price |
Contact Info |
Eradication |
Symantec Corp. |
Norton Utilities 8.0,
)
3.1/3.11 |
$79.95 |
1-800-441-7234 or
541-334-6054 |
Eradication |
Stratfor Syste |
ms |
Sanitizer PSS |
$call for price
range |
(800-308-5825 or
512-583-5050). |
Additionally: Symantec Corp. 'Your Eyes Only' version 4.1 for Windows 95/98/NT. This utility allows a user to securely delete a file following its use. It is not intended to be a disk-level eradication utility.
Currently Approved Degaussers (magnetic media erasers)
Duty Rating |
Manufacturer |
Model |
Price |
Contact Info |
Light |
Tandy Corp. |
44-233A |
$37.00 |
Local Radio Shack |
Medium |
Data Devices Int. |
PF-211 |
$150.00. |
(626) 799-6546 |
Please contact IRMA for further information at 410-767-6830
MDH Data Remanence Risk Management Matrix
BASED ON DOD 5220.22-M (NISPOM8-306) MODIFIED FOR MDH USE 10/98 - IRMA |
MEDIA |
No client-level data ever present |
Client-level data once present |
Magnetic Media (Tape) |
|
|
Type I (low energy, iron oxide, 350 Oe rated) |
a or b |
a, b, or f |
Type II (high energy, CrO2 351-750 Oe rated) |
a or b |
b or f |
Type III (cobalt modified iron oxide and metallic coated - 750 Oe rated) |
a or b |
f |
Magnetic Media (Other) |
|
|
Floppies |
a, b, or c |
f |
Non-Removable Rigid Disk (hard drive) |
c |
a, b, d, or f |
Removable Rigid Disks, and other versions of removable, soft-cased, high-density media i.e. Bernoullisâ , Iomegaâ , 3480, 3490, 4 & 8 mm, etc. |
a, b, or c |
a, b, d, or f |
Optical Media |
|
|
Read many, Write many |
c |
f |
Read Only (CD ROM) |
g |
f, g |
Write Once, Read many (Worm) |
g |
f, g |
Equipment |
|
|
Personal Computers containing any related media |
Follow media guidelines |
Follow media guidelines |
Cathode Ray Tube (CRT) |
e |
j |
Printers |
|
|
Impact |
e |
i then e |
Laser |
e |
h then e |
Clearing Methods:
a. Degauss (Type I Degausser), or rare-earth magnet of suitable strength
b. Degauss (Type II Degausser), or rare-earth magnet of suitable strength
c. Use FDISK and format - (Not adequate for client-level, Protected and Proprietary data eradication)
d. Use IRMA approved materials to overwrite all addressable locations. THIS METHOD MAY NOT COMPLETELY SANITIZE MEDIA THAT CONTAINS client-level data CONSULT IRMA FOR FURTHER INFORMATION.
e. Remove all power to include battery power (if present) See: j below
f. Destroy - Cut flexible media into 2 pieces then dispose of in separate waste cans. Disintegrate, incinerate, pulverize, shred, or melt if warranted.
g. Destruction required only if client-level data (as defined as Protected or Proprietary in the MDH 'Non-Disclosure Policy,' April, 1999 MDH Policy #000000) are contained, and cannot be satisfactorily eradicated. Please contact IRMA if you have questions.
h. Run five pages of unclassified text (font test acceptable).
i. Ribbons must be destroyed if Protected or Proprietary data can be read from them. Platens must be cleaned if such data is present on them .
j. Inspect and/or test screen surface for evidence of burned-in sensitive information, & if present, the cathode ray tube must be destroyed in approved manner. |
Protocol to Eradicate MDH Data Remanence
Octo
ber 1998
[ ] (1) Identify and complete a security risk assessment of each device and media to be disposed or re-situated that are covered by this protocol. The risk assessment should be coordinated with the previous users and supervisory personnel. Using the matrix, select the least extensive method from the chart that is consistent with the assigned risk described at the top of the chart. The extent of eradication for each device must be placed in the last column on the reverse of the 'Certification of Eradication of Data Remanence,' form. Contact 410-767-6830 if you have questions.
[ ] (2) Eradicate the data on the devices and/or media listed using the proscribed method. Unit staff will do this, if necessary, in consultation with IRMA staff. Follow directions included on the self-booting disk labels. NOTE: See the 'IRMA APPROVED DATA REMANENCE ERADICATION SOFTWARE & HARDWARE LIST' for materials that are recommended by IRMA as adequate to erase Client-level data present on hard-drives.
[ ] (3) Apply label(s) over floppy or other removable device slots to indicate eradication procedure has taken place, and to prevent loading of software. Print boldly on this label the condition of the unit ifNOT operational/bootable. Any label that covers the opening and will adhere to the unit is acceptable.
[ ] (4) Remove markings, if present, that identify previous user(s), Department association, or that the machine contained client-level, or other sensitive data, at any time.
[ ] (5) Get Certification Signature from your Property Officer for materials on Certification of Data Remanence Eradication document.
[ ] (6) Securely store devices (erased or not erased) until change of custody to disposing authority, e.g. MDH General Services Administration, or other recipient.
[ ] (7) Submit the 'Certification of Data Remanence Eradication' signed by the Property Accountable Officer along with the batch of machines to your local disposal authority. The original will be kept on file by MDH/GSA per their document retention policy and is subject to audit.
Special Concerns:
To prevent copyright violation and further data remanence exposure, it is recommended that no overlap period be allowed where two operational computers reside on a user's desk during the installation of new equipment. Only when deemed necessary, the original PC, hard drive and/or associated media or data shall be retained for a maximum period of 7days to facilitate a stable transition period to the replacement unit.
MDH equipment and/or data that are located outside the Department, or in the custody of non-MDH personnel, including local Health Departments, are subject to this protocol and to all applicable laws, regulations, or policies. Please review and revise your current policies, procedures and protocols, and promote changes, where necessary, to assure adequate safeguards are in place. This should include a review of contractual language and obligations to ensure protection of MDH data on vendor-based, or vendor-owned equipment when that equipment is sent to disposal. Additionally, off-site and on-site vendor-based maintenance procedures must be reviewed and revised as necessary to assure precautions are taken if sensitive information is present on the device under repair.
Please contact IRMA at 410-767-6830 if you have questions or concerns.
MEMORANDUM OF UNDERSTANDING
Date: __________
This memorandum of understanding between the
Maryland Maryland Department of Health, (MDH) and
__________________________________ and the _____________________________________
LOCAL HEALTH DEPARTMENT COUNTY BOARD OF HEALTH / CITY COUNCIL
serves as the sole, formal understanding between these two entities regarding the implementation of the directive known as the 'Protocol for the Disposition of Computer Equipment and Associated Magnetic and Other Data Storage Media in MDH' (Protocol).
By this memorandum, ______________________________________ acknowledges that MDH has proprietary and other legal interests in maintaining the integrity of MDH data and information, and in controlling access, protection, custody, and the disposition of this data and information, and agrees to comply with all portions of the Protocol as a condition of continued access to and use of MDH data, regardless of data processing equipment ownership, or the physical location of the data and/or equipment.
Violations of this agreement are subject to MDH sanctions as specified in the MDH 'Policy On The Use Of MDH Electronic Information Systems, policy number 02.01.01, and to civil and criminal penalties under applicable State and Federal law.
Nothing in this agreement overrides other, more restrictive policies, laws, or regulations governing the custody and disposition of data and information, or the authorized release of confidential information.
__________________________________________________________ on behalf of the
LOCAL HEALTH OFFICER / COMMISSIONER
__________________________________________________________ Health Department and the
__________________________________________________________ for County Board of Health / or City Council
LOCAL HEALTH OFFICER / COMMISSIONER/ OR OTHER AUTHORITY
__________________________________________________________
SECRETARY OR DESIGNEE