NAID® is the international trade association for companies providing information destruction services. Suppliers of products, equipment and services to destruction companies are also eligible for membership. NAID's mission is to promote the information destruction industry and the standards and ethics of its member companies.
http://www.naidonline.org/nitl/en/index.html
Guides for securing Information Systems storage devices. The following excerpts are taken from the NSA/CSS Policy Manual 9-12:
Securing Data: Sanitize hard disk drives by either erasing the hard disk drive in a NSA/CSS approved automatic degausser, by disassembling the hard disk drive and erasing the enclosed platters with a NSA/CSS approved degaussing wand, or incineration. It is also highly recommended that the hard disk drive be physically damaged prior to release. Remove all labels or markings that indicate previous use or classification.
Sanitization: Sanitize magnetic tapes in accordance with either of the following procedures. Remove all labels or markings that indicate previous use or classification. Degauss using a NSA/CSS approved degausser.
Magnetic Disks: Magnetic disks include hard disk drives, floppy disks, diskettes, and disk packs.
Sanitization with Automatic Degausser: … [use a] NSA/CSS approved degausser and erase.
NOTE: Erasure of hard disk drives will cause damage (i.e., loss of timing tracks and damage to disk drive motor) that will prohibit its continued use.
(The Pure Leverage Hard Drive Crusher meets NSA requirements for destruction.)
The National Institute of Standards and Technology (NIST) Special Publication 800-88 Guidelines for Media Sanitization will assist organizations in implementing a media sanitization program with proper and applicable techniques and controls for sanitization and disposal decisions, considering the security categorization of the associated system’s confidentiality.
Authority
The National Institute of Standards and Technology (NIST) developed this guide in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347.
NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all federal agency operations and assets…
Purpose and Scope
The information security concern regarding information disposal and media sanitization resides not in the media but in the recorded information. The issue of media disposal and sanitization is driven by the information placed intentionally or unintentionally on the media. With the advanced features of today’s operating systems, electronic media used on a system should be assumed to contain information commensurate with the security categorization of the system’s confidentiality. If not handled properly, release of these media could lead to an occurrence of unauthorized disclosure of information.
Many financial institutions collect personal information from their customers, such as their names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. The Gramm-Leach-Bliley (GLB) Act requires financial institutions to ensure the security and confidentiality of this type of information.
As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) has issued the Safeguards Rule. This Rule requires financial institutions under FTC jurisdiction to secure customer records and information, and to train employees to take basic steps to maintain the security, confidentiality and integrity of customer information.
Here are some suggestions on how to maintain security throughout the life cycle of customer information that is, from data entry to data disposal: Shred or recycle customer information recorded on paper and store it in a secure area until a recycling service picks it up; Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contain customer information;
Effectively destroy the hardware; and promptly dispose of outdated customer information.
The Final Rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register on February 20, 2003. This Final Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information.