Certification Vs. Compliance
There is a significant difference between software claiming to comply with standards and the software tools receiving certifying compliance. We don’t believe our customers should have to verify that WipeDrive does what we claim, so we are have received Common Criteria certification at EAL2+. This certification enables the software to be used by 26 countries (Australia, Canada, France, Germany, India, Italy, Japan, Malaysia, Netherlands, Norway, New Zealand, South Korea, Spain, Sweden, Turkey, United Kingdom, United States, Austria, Czech Republic, Denmark, Finland, Greece, Hungary, Israel, Pakistan, and Singapore) that use the Common Criteria certification scheme.
When you see wiping software that claims to “comply” with standards, all it means is that they may comply but there is no outside body that has independently verified and authenticated their compliance.
Risk Vs. Cost Of Avoiding Risk
We recognize that there is a trade off between risk and the cost of avoiding risk. But many of our larger customers, like the DoD, Air Force and DHS, don’t have the option of accepting any level of risk. Our software is designed with their input to address their needs so all our customers benefit.
We start with each of the published standards (HIPPA, Sarbanes-Oxley, SOX, GLB, PCI, NIST 800-88) as a minimum security level. Working with our most risk-averse customers we have added features that allow both operational efficiency and increased security; such as remote wiping, digitally signed audit logs and fully scripting the wipe process to eliminate human error, and faster wiping speed.
What Does The Common Criteria EAL2+ Certification Mean?
Since 1998, the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA), in cooperation and collaboration with the U.S. State Department, worked closely with their partners in the CC Project to produce a mutual recognition arrangement for IT security evaluations.
U.S. Government and its foreign partners in the arrangement share the following objectives with regard to evaluations of IT products and protection profiles:
- Ensure that evaluations of IT products and protection profiles are performed to high and consistent standards and are seen to contribute significantly to confidence in the security of those products and profiles.
- Increase the availability of evaluated, security-enhanced IT products and protection profiles for national use.
- Eliminate duplicate evaluations of IT products and protection profiles.
- Continuously improve the efficiency and cost-effectiveness of security evaluations and the certification/validation process for IT products and protection profiles.
The Common Criteria certification requires in-depth product testing to meet expected performance. This testing and certification was performed and evaluated for WipeDrive’s conformance to international standards.
Certified Erasure Tools
The Common Criteria EAL 2+ certification report states that WipeDrive provides data destruction in accordance with US DoD 5220.22-M. And WipeDrive complies with all of the following disk wipe standards:
- NIST 800-88 r1
- US DoD 5220.22-M
- Standard single pass overwrite
- US Army AR380-19
- US Air Force System Security Instruction 5020
- US Navy Staff Office Publication P-5329-26
- US National Computer Security Center TG-025
- Australian Defense Signals Directorate ACSI-33 (X0-PD)
- Australian Defense Signals Directorate ACSI-33 (X1-P-PD)
- Canadian RCMP TSSIT OPS-II Standard Wipe
- CIS GOST P50739-95
- GB HMG Infosec Standard #5 Baseline
- GB HMG Infosec Standard #5 Enhanced
- German VSITR
Potential Risks Of Non Certified Wiping Software
Standards, like HIPPA, Sarbanes-Oxley, SOX, GLB, PCI, NIST 800-88, contain one common, overriding standard: that all drive data must be overwritten. Other data erasure software and free open source drive deletion software clearly falls short of this basic goal.
HPAs And DCOs
Some wiping software does not remove HPAs (Host Protected Areas) and DCOs (Drive Configuration Overlays) this means that the data in these partitions won’t be overwritten. Also the possibility exists of someone creating a hidden partition on the drive. Not wiping these hidden partitions is both a security risk and a compliance issue.
WipeDrive securely overwrites these hidden partitions. The Common Criteria EAL2+ certification states that neither Host Protected Areas (HPA) and Device Configuration Overlays (DCO) remain after WipeDrive has completed. Testing the removal these hidden partitions was a key element of the WipeDrive Security Target.