R2v3 Appendix B – Logical Sanitization Requirements
Appendix B of the R2v3 Standard defines the pertinent requirements for recyclers engaged in data sanitization process. Any device containing data or potential containing data could be handled and sanitized by either means:
· Logical sanitization – data sanitization with use of data erasure software and/or;
· Physical Sanitization -physical destruction of data containing devices.
Who is appendix B applicable too?
Appendix B – Data Sanitization is applicable to any recyclers:
A Recycler who performs logical sanitization of devices
A Recycler who does physical sanitization
A Recycler who does logical and physical sanitization.
So, if your organization only performs logical sanitization then you will only be audited against those requirements in Appendix B that apply to that process. This blog post will focus on the logical sanitization software requirements.
Appendix B in General is concerned with the following:
· Development of a Data Sanitization Plan
· Training and Evaluation of employees working with data containing devices
· Device markings
· Security Controls
· Data Security and Sanitization Audits
· Logical Destruction Requirements
· Quality control
This blog post will focus specifically on Logical Data Destruction requirements and Quality Control of the logical data sanitization requirements.
Requirements of Appendix B, Requirement 10 through 14 of those appendices.
These requirements (per the R2v3 standard) include:
(10) Where logically sanitized, electronic records of data sanitization created by the software used to sanitize the data shall be maintained for each unique identifier of the data storage media.
(11) Data sanitization software used shall be:
(a) Configured to sanitize all user-addressable locations on the data storage media containing data that was not original when the device was purchased, and
(b) Configured to fail the media if any user-addressable locations cannot be sanitized, and
(c) Maintained with software patches, and
(d) Verified to be a currently supported version before use.
(12) All logins, passwords, locks, or any other connections to a remote service shall be removed and no longer connected to the device.
Recyclers performing logical data sanitization must use automated software when such a software exists for that device.
Meaning, if you are wiping a Mac Book Pro you cannot use a factory reset or formatting the hard disk, for example, when an automated software exists to perform that task.
In November of 22 SERI (Sustainable Electronic Recycling International) released a Formal Interpretation of these requirement.
R2V3 FORMAL INTERPRETATION #1.0 – DATA SANITIZATION SOFTWARE
EFFECTIVE: NOVEMBER 29, 2022
The R2 Standard Consensus Body has approved this Formal Interpretation in line with Article 10 – Interpretations Policy in the SERI Manual of Policies and Procedures for R2 Standard Development and the ANSI Standards Development process. This Formal Interpretation is hereby published by SERI and effective on November 29, 2022.
QUESTION Logical Sanitization in Appendix B references the use of “software” in requirements (10) and (11). Is “software” limited to applications that automate the logical sanitization process and create a record of the sanitization?
FORMAL INTERPRETATION “Software” is intended to mean applications that automate, control, and record results of data sanitization for each unique identifier. Because performing manufacturer-provided factory resets directly on a device do not always make data irrecoverable by commercial software, sanitization by software methods must be the primary method of logical sanitization. However, on some devices, manufacturer-provided factory resets may be the only available option (when a device is functional and not damaged). For a specific device containing data, when no software exists that fully automates, controls, and records the data sanitization results, “software” can extend to include the application that is directing, controlling, and recording the manual workflow to sanitize the data according to the manufacturer provided instructions (“manufacturer reset”). The software facilitating the manufacturer-prescribed data sanitization process and recording its results shall be demonstrated to fulfill the data sanitization software requirements in Appendix B (11) and the records requirements in Appendix B (10).
Any software that meets these requirements can be utilized. SERI has also together a list of software meeting these requirements:
Sanitization Software Example:
Company & URL
Certus Software GmbH
Extreme Protocol Solutions
iMT (iDea Mobile Tech)
Stella Data Recovery (BitRaser)
Stellar Data Recovery
*Note that this list is not comprehensive and does not list all available software solutions. In addition, this resource is not a recommendation or endorsement of any of the software programs listed, nor a validation of their effectiveness.
The next set of requirements around logically sanitized devices speak to sampling and validation of your chosen sanitization process:
(13) A minimum of 5% of logically sanitized data storage media shall be routinely sampled by a competent and independent party to demonstrate data is not recoverable by commercial software, and where continued sampling results demonstrate:
(a) No issues with the sanitization process, subsequent sample sizes may be decreased to no less than 1%, with continued routine sampling; or
(b) Nonconformity or other sanitization issues, corrective actions are promptly initiated and nonconforming product appropriately managed, and sampling is increased until no further issues are identified.
These requirements call for sampling of your previously sanitized devices. This requirement states that a minimum 5% sampling of sanitized devices be re-sampled to ensure no data is contained on the wiped devices. These functions must be performed by a different individual than the one who originally wiped the device (hence a competency and independent party).
The 5% sampling of sanitized device is essentially a double-check and validation of your initial logical data sanitation process.
“Commercial software” in Appendix B(13) refers to the level of data recovery techniques applied to the sampling method. Commercial software is a level between basic visual inspection for data and forensic laboratory analysis. It means a level where data could not be recovered by software designed for data recovery that a normal user could download or purchase and use to recover data from a device.
Devices where data sanitization is unsuccessful or failed or the sanitization cannot be verified:
(14) If logical sanitization is unsuccessful or cannot be verified, then the item or data-bearing component must be physically destroyed in accordance with the requirements above.
The last part of appendix B (15-17) discusses Quality Control pertaining to logically sanitized devices:
(15) Quality controls shall be implemented to verify that received equipment and components containing
(a) were processed as planned, and
(b) quantities processed match quantities received, and
(c) suppliers are notified of any discrepancies.
(16) After verification of (15)(a)-(c) above, data storage devices shall be approved for release by the Data
Protection Representative and records retained.
(17) When quality control issues are detected, corrective actions shall be implemented in accordance with the data sanitization plan.
These sections are simply a quality control check to ensure that logical data sanitization procedures or work instructions have been followed. Additionally, that the number of data-containing devices received that required sanitization have been performed and can be verified with records of those sanitized device. Lastly, if any devices fail sanitization the suppliers shall be notified to ensure they provide input into how they would like the device to be handled.
What used electronic devices does SERI’s R2v3 standard care about?
The R2v3 Standard is focused on the control and management of what the standard defines as Controlled Streams or materials defined as or containing Focus Materials.
R2 Applicability - Controlled streams are defined as…
SERI R2v3 – R2 Equipment Categorization Guide version 1.0 – Table 1
Unrestricted streams are electronic devices, equipment or components that R2 requirements do not apply to.
Focus Material is defined as:
· Mercury Containing Devices
· Circuit Boards
· Poly-Chlorinated Biphenyls
· Cathode Ray Tube Televisions (CRTs)
Lastly, the R2 Equipment Categorization guide discuss the data sanitization status. The status should be easily identifiable if an auditor was to walk through your facility. Labelled areas/shelves/bins are advised to ensure visually sorting of items that may or may-not contain data versus those devices that have been sanitized or verified to be non-data containing devices.
SERI R2v3 – R2 Equipment Categorization Guide version 1.0 – Table 2
Wilkshire Blog Links:
· R2v3 - The Sustainable R2v3 Overview of the Certification Process
· Electronic Recyclers - What is R2v3 Certification and what are the benefits?
· R2v3 Focus Material
· R2v3 Scope Determination
· R2v3 Certification for Used Cell Phone Businesses
R2v3 SERI Resource Links:
SERI R2v3 – https://sustainableelectronics.org