Companies in various industries spend a significant amount of money to make sure their data is secure (more specifically their network).  And while data security has been on the forefront of everyone’s mind for quite some time now, very little resources have been dedicated to address the vulnerabilities of data once hardware/IT equipment has been unplugged from companies’ networks.  As an example, a simple Hard Drive erasure is not an effective and a guaranteed data destruction technique; hackers may still have access to reallocated sectors resulting from a drive fault.  Ombligo is focused on helping companies implement low-cost solutions to close the loop on data security initiatives.
By complying with all U.S. Federal, state and local regulations, Ombligo performs a fully compliance-validated sanitization, onsite or at a certified facility.

Data Erasure Process

In an effort to adhere to the guiding principles of the Department of Defense’s 5220.22-M standard as of February 2006, Ombligo uses the most recent version of the ‘NIST SP 800-88 Guidelines for Media Sanitization’ as of December 2014.
To that end, Ombligo, at a minimum, clears and sanitizes electronic data that could identify its partners as the original equipment owners, or irreparably deforms such equipment that contains electronic data.  Ombligo also physically removes stickers and tags (except for Original Equipment Manufacturer (“OEM”) labels) from all equipment received from its partners.
Ombligo uses data erasure procedures that meet or exceed the level of data clearing and sanitization provided for in those outlined by OEMs.  Such procedures may include, but are not limited to, clearing user names, passwords, electronic banners, domain names, host names and Internet Protocol (IP) addresses that could identify its partners from all equipment units processed.
  • Hard Drive Erasure: For Hard Disk Drives (HDDs), Ombligo uses either firmware-based sanitization commands – such as Secure Erase Commands (Secure Erase, Secure Erase Enhanced), Sanitize Commands (Block Erase, Overwrite, Cryptographic Scramble), NVM Format Commands and Low Level Format Command (including Security Initialization as available) – or non-firmware-based sanitization commands – such as the three-pass block erase data overwrite method.  When applicable, the Host Protected Area (“HPA”) and Device Configuration Overlay (“DCO”) are removed.  For all other equipment parts that may contain electronic data (e.g., Redundant Array Independent Disks (“RAID”) Controllers), Ombligo clears and resets them to factory defaults.
  • Hard Drive Degaussing: When hard drive erasure is not successful, or when specifically requested by Ombligo’s partners, Ombligo will use a degausser for HDDs.  Degaussing is an electromagnetic process which makes an HDD permanently unreadable.  Ombligo uses a Garner-HD-3WXL for all HDD degaussing.
  • Hard Drive Deformation: Following degaussing, Ombligo irreparably deforms HDDs and other parts earmarked for responsible electronic recycling.  This is done by using a portable crushing device which irrevocably deforms the part in question, making it unusable.
  • Tape and Hard Drive Shredding: Ombligo shreds Compact Disks (“CDs”) and Digital Video Disks (“DVDs”) using a Datastroyer 101-CD.  DVDs are split in two and each half is run through the Datastroyer separately.
Ombligo’s certified data sanitization satisfies the following industry regulations:
  • California Senate Bill 1386 – CAL SB1386 (The California Information Practice Act)
  • GLB (Gramm-Leach-Bliley Act) – banking and financial institutions
  • HIPAA (Health Insurance Portability and Accountability Act) – the healthcare industry
  • NIST (National Institute of Standards and Technology) guidelines for media sanitization
  • PCI DSS (Payment Card Industry Data Security Standard)
  • PIPEDA (Personal Information Protection and Electronic Documents Act)
  • SOX (The Sarbanes-Oxley Act)
  • FACTA (Fair and Accurate Credit Transactions Act)

Addressing Key Data Vulnerabilities

According to Bloomberg, Forrester and other public research, companies’ worst hacking threat may be their own employees. Read more here.
  • Not leave unplugged hardware stored in a room where employees could access it
  • Inform Ombligo as soon as equipment is earmarked for disposal, and before it is unplugged from network
  • Let Ombligo’s team unplug equipment straight from partners’ networks and transport it to an Ombligo facility for secure disposal
  • Ensure there are no gaps or vulnerabilities in chain of custody
    • Equipment becomes Ombligo’s responsibility as soon as touched at partners’ locations
    • Ombligo provides secure transportation to an Ombligo facility, with appropriate insurance policies in place
  • Ask for on-site data sanitization and secure data destruction services to make sure no data resides on unplugged hardware when it leaves partners’ locations
    • Data does not solely reside on Hard Disk Drives (HDDs)
    • Other equipment parts/units that may contain data: remote management cards (e.g., Dell’s RAC or HP’s iLO); flash memory (for routers); supervisor engines (for network switches); etc.

Data Sanitization Locations

Ombligo provides certified data sanitization and secure data destruction services with an associated letter of indemnification, both onsite at partners’ locations, as well as at an Ombligo facility.
Partners that elect to have Ombligo sanitize data at an Ombligo facility, but do not want to resell some of their more sensitive equipment parts, are provided with a securely locked box – an Ombligo Bin – which is placed at partners’ locations.  Ombligo Bins are dedicated to store equipment and computer parts that Ombligo partners earmark for data sanitization, secure data destruction and responsible electronic recycling.  Ombligo picks up Ombligo Bins on a regular schedule, the frequency of which differs depending on each partner’s specific needs and requirements.  Other equipment earmarked for processing by Ombligo is picked up with a clear chain of custody where Ombligo takes over responsibility (and associated potential liability) of any excess IT equipment from the moment Ombligo’s team “touches” its partners’ equipment.
Other partners with more stringent compliance requirements often require Ombligo to provide its data sanitization and secure data destruction services onsite at their own locations, exclusively for equipment and computer parts that are earmarked for responsible electronic recycling.