Regulations - Government/Commercial

Government

Our degaussers are listed on the National Security Agency’s approved degausser products list. NIST 800-53 was published to provide guidelines and recommended security controls for federal government information systems. 800-53 directs federal government organizations to the National Security Agency’s approved degausser products list when using degaussers for media sanitization.

We can help you select the proper degausser and also help assure that your procedures comply with NSA/DoD regulations.

The National Security Agency Central Security Service (NSA/CSS) Policy Manual provides guidance for clearing, sanitization, declassification, and release of information on information systems storage devices. The following is taken from the NSA/CSS Policy Manual 9-12:

Magnetic Storage Device Procedures

Reel and Cassette Format Magnetic Tapes

• Sanitization: Sanitize magnetic tapes in accordance with either of the following procedures. Remove all labels or markings that indicate previous use or classification.
• Degaussing: Degauss using a NSA/CSS approved degausser.
• Magnetic Disks: Magnetic disks include hard disk drives, floppy disks, diskettes, and disk packs.

Hard Disk Drives

• Sanitization: Sanitize hard disk drives by either erasing the hard disk drive in a NSA/CSS approved automatic degausser, by disassembling the hard disk drive and erasing the enclosed platters with a NSA/CSS approved degaussing wand, or incineration. Remove all labels or markings that indicate previous use or classification.
• Sanitization With Automatic Degausser: 1) Remove the hard disk drive from the chassis or cabinet; 2) remove any steel shielding materials or mounting brackets which may interfere with magnetic fields; 3) place the hard disk drive in a NSA/CSS approved degausser and erase. NOTE - Erasure of hard disk drives will cause damage (i.e., loss of timing tracks and damage to disk drive motor) that will prohibit its continued use.

Commercial

Data Security, Inc. manufactures degaussers for the financial community required to meet the privacy requirements of the Gramm-Leach-Bliley Act (GLBA). Our degaussers also support health care organizations and other agencies required to comply with the Health Insurance Portability and Accountability Act (HIPAA).

Financial Companies: Gramm-Leach-Bliley Act (GLBA)

Many financial institutions collect personal information from their customers, such as their names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and social security numbers. The GLBA requires financial institutions to ensure the security and confidentiality of this type of information.

As part of its implementation of the GLBA, the Federal Trade Commission (FTC) has issued the Safeguards Rule. This rule requires financial institutions under FTC jurisdiction to secure customer records and information and to train employees to take basic steps to maintain the security, confidentiality, and integrity of customer information.

Here are some suggestions on how to maintain security throughout the life cycle of customer information, i.e., from data entry to data disposal:

• Shred or recycle customer information recorded on paper and store it in a secure area until a recycling service picks it up.
• Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives, or any other electronic media that contain customer information.
• Effectively destroy the hardware and promptly dispose of outdated customer information.

Health Care Agencies: Health Insurance Portability and Accountability Act (HIPAA)

The final rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register on February 20, 2003 . This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to ensure the confidentiality of electronic protected health information.

The requirements and implementation features for Device and media controls are presented at §164.310 (d) of this rule. The following excerpt depicts the requirements and implementation features for the Device and media controls category:

Standard: Device and media controls.
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

Implementation specifications:

Disposal (Required).
Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

Media re-use (Required).
Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

Accountability (Addressable).
Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

Data backup and storage (Addressable).
Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

HOME | PRODUCTS | HEALTH & SAFETY | REGULATIONS | BENEFITS | CONTACT US

© Copyright 2005 Data Security, Inc. - 729 Q St., Lincoln, Nebraska 68508
1 (800) 225-7554 or 1 (402) 434-5959
Fax: (402) 434-3291