Infosec Standard 5

From Wikipedia, the free encyclopedia

HMG Infosec Standard 5, or IS5, is a data destruction standard used by the British government.

Context
IS5 is part of a larger family of IT security standards published by CESG; it is referred to by the more general
Infosec Standard No.1.[1] IS5 is similar to DOD 5220.22-M (used in the USA).[2]

Requirements
IS5 sets a wide range of requirementsnot just the technical detail of overwriting data, but also the policies
and processes that organisations should have in place, to ensure that media are disposed of securely. IS5 also
touches on risk management accreditation, because secure reuse and disposal of media is an important control
for organisations handling high-impact data. It's not sufficient just to sanitise media; the sanitisation should also
be auditable, and records must be kept.[3]

IS5 defines two different levels of overwriting:[4]

Baseline overwriting of data involves one pass, overwriting every sector of the storage medium once
with randomly generated data.
Enhanced overwriting involves three passes; each sector is overwritten first with 1s, then with 0s, and
then with randomly generated 1s and 0s.

Regardless of which level is used, verification is needed to ensure that overwriting was successful.[5]

Apart from overwriting, other methods could be used, such as degaussing, or physical destruction of the media.
With some inexpensive media, destruction and replacement may be cheaper than sanitisation followed by reuse.
ATA Secure Erase is not approved. Different methods apply to different media, ranging from paper to CDs to
mobile phones.

The choice of method affects reusability. Four different outcomes are considered:

Reuse of media in a similarly secure environment;

Reuse of media in a less-secure environment (accredited at a lower IL);
Reuse anywhere (i.e. an untrusted or unknown environment);
Destruction.

Stricter requirements apply to data with a stronger protective marking or IL. Media at or above IL4 /
CONFIDENTIAL must be handled at a secure site, such as a List X site.

References
1. HMG Infosec Standard No. 1
2. "Computer Hard Disk Data Destruction"(http://www.it-green.co.uk/hard_disk_data_destruction.html)
. Retrieved 4 June
2013.
3. HMG IA Standard No. 5: Secure Sanitisation. Issue 4.0, April 201
1
4. "Software Data Destruction Services"(http://www.datarecoveryservices.uk.com/software_destruction.htm)
. Retrieved
4 June 2013.
5. "How to Choose a Secure Data Destruction Method"(http://www.secure-data-destruction.eu/publications/How-to-Choos
e-a-Secure-Data-Destruction-Method.pdf)(PDF). Retrieved 4 June 2013.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Infosec_Standard_5&oldid=763907612"

Categories: Information assurance standards IT risk management

This page was last edited on 5 February 2017, at 22:46.

Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may
apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia is a registered
trademark of the Wikimedia Foundation, Inc., a non-profit organization.