Data sanitization isn't what you think it is, but a new group hopes to change that
The International Data Sanitization Consortium wants to encourage IT professionals to think harder about the ways they get rid of old data.
"I am astounded by how little is known and understood about data sanitization," said Richard Stiennon, chief strategy officer at Blancco Technology Group and acting director of the IDSC, which launched on Tuesday with other members including the Information Governance Initiative, Ingram Micro ITAD, Kroll Ontrack and others.
The group wants to get rid of ambiguity around what data sanitization means, its members say, bringing specificity to terminology, standards and guidelines.
A recent survey of IT professionals found that, when asked to identify the correct definition of data sanitization, 64 percent answered incorrectly. There's a misconception among many that factory resets, data wiping and reformatting are enough to safely clear away old data, said Stiennon. But that's not the case.
"The vast majority of organizations today aren’t undertaking the necessary steps to implement a data sanitization process and are leaving themselves vulnerable to a potential data breach," he said in a statement. "This is both disappointing and alarming – and something we at the IDSC hope to change through ongoing education and guidance.”
Ensuring old data is unrecoverable by permanently and irreversibly removing or destroying it on equipment such as wearables and medical devices is critical to good security, said the group. A device that has been sanitized has no residual data to be recovered, even with the assistance of advanced forensic tools.
There are three ways to achieve true data sanitization, according to IDSC, which comprises IT security experts across academic institutions, analyst firms, software providers, hardware manufacturers: physical destruction, cryptographic erasure and data erasure.
The consortium hopes to make sanitation best practices a more urgent priority among IT professionals, helping to educate them about those processes and more on its website.
"Failing to govern data is an endemic problem that can inflict serious damage on an organization – and it can happen at any time from the instant a piece of digital data is created right to the very end of its lifecycle," said Barclay Blair, founder and executive director of the Information Governance Initiative, in a statement.
"Time and time again across the hundreds of organizations we speak to each year, we see the consequences of this governance failure in litigation, security breaches, loss of customer trust, regulatory sanctions and other completely unnecessary incidents," he added. "Data sanitization is an essential part of a holistic and mature approach to governing information, and it is our hope that this initiative will play a major role in driving clarity and adoption on this critical part of the information governance lifecycle."