In this series we will review each of the core Aspects in the CCSS and provide our interpretation for each of the Aspect’s requirements and what possible evidence could provide assurance to the auditor that a requirement is in-place. Make sure to read our other in-depth articles on the CCSS Aspects:

CCSS Aspect 2.02 Data Sanitization

In this article we will explore how an auditor could interpret the CCSS Aspect 2.02 Data Sanitization Policy (DSP).

Aspect 2.02 Data Sanitization Policy (DSP) addresses securely deleting key data from digital media. The Aspects objective defined within the CCSS is provided below.

This aspect covers the removal of cryptographic keys from digital media. Due to the manner in which file systems allocate data on digital media, digital forensic techniques can be employed to read old data that has previously been deleted. Proper sanitization of digital media ensures the proper removal of all keys, eliminating the risk of information leakage from decommissioned devices like servers, hard disk drives, and removable storage.

Aspects Controls

There are two controls to this Aspect. In this article we will address each component.

  • 2.02.1 DSP Exists
  • 2.02.2 Audit Trail of all media sanitization

CCSS Levels

CCSS provides three levels of compliance – Level 1 being the base level of implementing CCSS requirements up to Level 3 being the most in-depth implementation of CCSS requirements. We shall review each compliance level and provide our thoughts on what evidence an auditor should seek to provide assurance that the requirements are in-place.

A Note on Backup Data

The CCSSA should review backup processes with the assessed entity to understand if any key data is backed up. The CCSSA should review the backup policy and procedures, conduct interviews with a personnel who manage the backup process, review of the backup configurations to identify any key data that has been backup.

If key data is marked for deletion then any backups of the key data must also be securely deleted.

Level 1 Compliance

This requirement is composed of three sub-requirements which are listed below. We will review each sub-requirement in the context of a CCSS audit to identify what evidence is required by each sub-requirement in order to have enough assurance that the requirement is in-place.

  1. “The organization’s staff is aware of how data persists on digital media after deletion.”
  2. “Staff also have access to tools that perform secure deletion of data.”
  3. “[staff] understand when to use such tools to permanently destroy any transient copies of cryptographic keys that may be required during the maintenance of the information system.”

Sub-requirement: The organization’s staff is aware of how data persists on digital media after deletion.

This sub-requirement, in our opinion, requires evidence that training of personnel has been completed and addresses how data can persist on digital media after deletion functions provided by the operating systems have been used.

The training should be technical enough to describe how data is written to, organized on digital media and how standard deletion functions provided by the operating systems do not securely delete persisted data.

The training material will need to address each operating system (for example Windows, MAC OS and Linux) used within the CCSS Trusted Environment.

Evidence to provide assurance that this sub-requirement is in-place should be:

  1. Appropriate training material that provides enough detail that all in-scope personnel can understand how data is written to and organized on digital media and that standard functions for deletion provided by operating systems do not securely delete all data persisted on digital media.
  2. A sample of personnel interviewed from different in-scope roles that can clearly describe the importance of secure methods of deletion of data.
  3. List of all in-scope personal who have responsibility to delete key data have undertaken the relevant training.

Sub-requirement: Staff also have access to tools that perform secure deletion of data.

In order to ensure this requirement is in-place the CCSSA must first record all deletion processes for key data used by the assessed entity. For example, the assessed entity may delete key data using a software package that does not permanently delete key data. The software may mark or flag key data as “deleted” but not actually delete the key data so an “undo delete function” can be provided.

It is critical that the CCSSA ensures all deletion processes for key data implement the appropriate tool that provides secure deletion functions that adheres to industry standards such as DoD 5220.22-M or NIST SP 800-88.

Sub-requirement: [staff] understand when to use such tools to permanently destroy any transient copies of cryptographic keys that may be required during the maintenance of the information system.

To ensure this sub-requirement is meet the CCSSA must:

  1. Review policy and procedures that define the life cycle of key data which must include any processes where key data is copied. The policy and procedures must also address under what conditions the deletion tools are used on key data.
  2. Review all change requests completed during the assessed period which include the deletion of key data and to inspect the locations where key data was used and stored before deletion to ensure all relevant key data has been securely deleted.
  3. Interview personnel who conducted the deletion of key data under change management to ensure the key data deletion policy and procedures have been adhered to.

Level 2 Compliance

For this CCSS Level 2 requirement to be marked in-place by the CCSSA the following should be undertaken by the CCSSA:

  1. Review all policy and procedures that define deletion of key data and compare with the locations of all key data identified by the CCSSA during the CCSS Level 1 audit tasks to ensure the documentation covers all processes, key types and storage locations of key data.
  2. Ensure the policy aligns to NIST 800-88.
  3. Review all change requests completed during the assessed period which include the deletion of key data and to inspect the locations where key data was used and stored before deletion to ensure all relevant key data has been securely deleted and to ensure the policy and procedures defining key data deletion have been followed.
  4. Interview personnel who are responsible for the deletion of key data to ensure policy and procedures are known and understood.
  5. Ensure all personnel with access to key data have a right to access key data based on their role requirements.

Level 3 Compliance

The CCSS Committee has not provided guidance on what constitutes an acceptable audit trail. Therefore, we have provided our opinion on what constitutes an audit trail that we believe meets this requirement’s objective.

The requirement states that the following information must be available for every event where key data is securely deleted:

  1. The personnel who conducted the deletion of key data.
  2. Media identification attributes such as MAC address, serial number that clearly identifies the media.
  3. The process(s) used to securely delete the key data and what deletion tool(s) was used.
  4. Other relevant information such as proof that deletion was successfully completed, management approval of deletion, date and time of deletion, location of sanitized media, for example.

It is our opinion that a formal change request record under change management will be able to record this information, with additional immutable event records possibly provided by the deletion tool or other key management software.

Summary

In this article aspect 2.02 Data Sanitization Policy (DSP) was reviewed in the context of a CCSS audit. Secure deletion of key data is a critical information security management control as it reduces the risk of key data being accessed without authorization.