Companies in various industries spend a significant amount of money to make sure their data is secure (more specifically their network). And while data security has been on the forefront of everyone’s mind for quite some time now, very little resources have been dedicated to address the vulnerabilities of data once hardware/IT equipment has been unplugged from companies’ networks. As an example, a simple Hard Drive erasure is not an effective and a guaranteed data destruction technique; hackers may still have access to reallocated sectors resulting from a drive fault. Ombligo is focused on helping companies implement low-cost solutions to close the loop on data security initiatives.
By complying with all U.S. Federal, state and local regulations, Ombligo performs a fully compliance-validated sanitization, onsite or at a certified facility.
In an effort to adhere to the guiding principles of the Department of Defense’s 5220.22-M standard as of February 2006, Ombligo uses the most recent version of the ‘NIST SP 800-88 Guidelines for Media Sanitization’ as of December 2014.
To that end, Ombligo, at a minimum, clears and sanitizes electronic data that could identify its partners as the original equipment owners, or irreparably deforms such equipment that contains electronic data. Ombligo also physically removes stickers and tags (except for Original Equipment Manufacturer (“OEM”) labels) from all equipment received from its partners.
Ombligo uses data erasure procedures that meet or exceed the level of data clearing and sanitization provided for in those outlined by OEMs. Such procedures may include, but are not limited to, clearing user names, passwords, electronic banners, domain names, host names and Internet Protocol (IP) addresses that could identify its partners from all equipment units processed.
Hard Drive Erasure: For Hard Disk Drives (HDDs), Ombligo uses either firmware-based sanitization commands – such as Secure Erase Commands (Secure Erase, Secure Erase Enhanced), Sanitize Commands (Block Erase, Overwrite, Cryptographic Scramble), NVM Format Commands and Low Level Format Command (including Security Initialization as available) – or non-firmware-based sanitization commands – such as the three-pass block erase data overwrite method. When applicable, the Host Protected Area (“HPA”) and Device Configuration Overlay (“DCO”) are removed. For all other equipment parts that may contain electronic data (e.g., Redundant Array Independent Disks (“RAID”) Controllers), Ombligo clears and resets them to factory defaults.
Hard Drive Degaussing: When hard drive erasure is not successful, or when specifically requested by Ombligo’s partners, Ombligo will use a degausser for HDDs. Degaussing is an electromagnetic process which makes an HDD permanently unreadable. Ombligo uses a Garner-HD-3WXL for all HDD degaussing.
Hard Drive Deformation: Following degaussing, Ombligo irreparably deforms HDDs and other parts earmarked for responsible electronic recycling. This is done by using a portable crushing device which irrevocably deforms the part in question, making it unusable.
Tape and Hard Drive Shredding: Ombligo shreds Compact Disks (“CDs”) and Digital Video Disks (“DVDs”) using a Datastroyer 101-CD. DVDs are split in two and each half is run through the Datastroyer separately.
Ombligo’s certified data sanitization satisfies the following industry regulations:
California Senate Bill 1386 – CAL SB1386 (The California Information Practice Act)
GLB (Gramm-Leach-Bliley Act) – banking and financial institutions
HIPAA (Health Insurance Portability and Accountability Act) – the healthcare industry
NIST (National Institute of Standards and Technology) guidelines for media sanitization
PCI DSS (Payment Card Industry Data Security Standard)
PIPEDA (Personal Information Protection and Electronic Documents Act)
SOX (The Sarbanes-Oxley Act)
FACTA (Fair and Accurate Credit Transactions Act)
According to Bloomberg, Forrester and other public research, companies’ worst hacking threat may be their own employees. Read more here.
Not leave unplugged hardware stored in a room where employees could access it
Inform Ombligo as soon as equipment is earmarked for disposal, and before it is unplugged from network
Let Ombligo’s team unplug equipment straight from partners’ networks and transport it to an Ombligo facility for secure disposal
Ensure there are no gaps or vulnerabilities in chain of custody
Equipment becomes Ombligo’s responsibility as soon as touched at partners’ locations
Ombligo provides secure transportation to an Ombligo facility, with appropriate insurance policies in place
Ask for on-site data sanitization and secure data destruction services to make sure no data resides on unplugged hardware when it leaves partners’ locations
Data does not solely reside on Hard Disk Drives (HDDs)
Other equipment parts/units that may contain data: remote management cards (e.g., Dell’s RAC or HP’s iLO); flash memory (for routers); supervisor engines (for network switches); etc.