HOME

TheInfoList



Click Here for Items Related To - Infosec Standard 5
OR:
Infosec Standard 5 on:   [Wikipedia]   [Google]   [Amazon]

HMG Infosec Standard 5, or IS5, is a
data destruction Data erasure (sometimes referred to as data clearing, data wiping, or data destruction) is a software-based method of overwriting the data that aims to completely destroy all electronic data residing on a hard disk drive or other digital media ...
standard used by the British government.


Context

IS5 is part of a larger family of IT security standards published by CESG; it is referred to by the more general
Infosec Standard No.1 HMG Information Assurance Standard No.1, usually abbreviated to IS1, was a security standard applied to government computer systems in the UK. The standard was used to assess – and suggest responses to – technical risks to the confidentiality, ...
. IS5 is similar to
DOD 5220.22-M The National Industrial Security Program, or NISP, is the nominal authority in the United States for managing the needs of private industry to access classified information. The NISP was established in 1993 by Executive Order 12829. The National ...
(used in the USA).


Requirements

IS5 sets a wide range of requirements—not just the technical detail of overwriting data, but also the policies and processes that organisations should have in place, to ensure that media are disposed of securely. IS5 also touches on risk management accreditation, because secure reuse and disposal of media is an important control for organisations handling high-impact data. It's not sufficient just to sanitise media; the sanitisation should also be ''auditable'', and records must be kept. IS5 defines two different levels of overwriting: * Baseline overwriting of data involves one pass, overwriting every sector of the storage medium once with zeros. * Enhanced overwriting involves three passes; each sector is overwritten first with 1s, then with 0s, and then with randomly generated 1s and 0s. Regardless of which level is used, verification is needed to ensure that overwriting was successful. Apart from overwriting, other methods could be used, such as
degaussing Degaussing is the process of decreasing or eliminating a remnant magnetic field. It is named after the gauss, a unit of magnetism, which in turn was named after Carl Friedrich Gauss. Due to magnetic hysteresis, it is generally not possible to red ...
, or physical destruction of the media. With some inexpensive media, destruction and replacement may be cheaper than sanitisation followed by reuse.
ATA Secure Erase Parallel ATA (PATA), originally , also known as IDE, is a standard interface designed for IBM PC-compatible computers. It was first developed by Western Digital and Compaq in 1986 for compatible hard drives and CD or DVD drives. The connection ...
is not approved. Different methods apply to different media, ranging from paper to CDs to mobile phones. The choice of method affects reusability. Four different outcomes are considered: * Reuse of media in a similarly secure environment; * Reuse of media in a less-secure environment (accredited at a lower IL); * Reuse anywhere (i.e. an untrusted or unknown environment); * Destruction. Stricter requirements apply to data with a stronger protective marking or IL. In some cases, media at or above IL4 / CONFIDENTIAL may have to be handled at a secure site, such as a
List X A List X site is a commercial site (i.e. non-government) on UK soil that is approved to hold UK government protectively marked information marked as 'Secret' or above, or international partners information classified ‘Confidential’ or above. ...
site.


References

{{reflist Classified information in the United Kingdom Computer security in the United Kingdom Information assurance standards IT risk management