S 4.32 Physical deletion of data media before and after usage

Initiation responsibility: IT Security Management

Implementation responsibility: IT Procedures Officer

In addition to the instructions on deletion and destruction of data carriers mentioned in measure S 2.167 Secure deletion of data media, the following items must be observed for the exchange of data media:

Magnetic data media intended for exchange should be physically erased before being written with the information to be transmitted. This is to prevent the transmission of residual data which the recipient has no authority to receive.

Physical erasure sufficient for medium-level protection can be achieved by overwriting the entire data medium or at least the used sectors with a certain pattern. Another alternative is to format the data medium, if this cannot be undone again (e.g. DOS version 5.0: format/u). Certain commercially available products even allow the physical erasure of individual files.

As a rule, transmitted data also requires protection by the recipient. Once the data has been received, the data medium should again be physically erased.

Optical data media (in this case: WORM) should not be used for data exchange if they bear other information which is not meant for the recipient and cannot be erased.

Additional controls:

• Are the persons responsible for the exchange of data media familiar with the process of physical erasure?

• Do these employees have access to suitable programs for physical erasure?

• Are the recipients of confidential information notified about its data protection requirements?