Product Assurance 2023

Since 2016 ADISA's Product Assurance Scheme has been certifying data sanitisation products and companies through a process which was a mix of reviewing policies on software development and assessing the outcome from software usage. This is an increased level of assurance from the Product Claims Test which only assesses the outcomes.

Launching in 2023, the Product Assurance 2023 Scheme has evolved and been improved from the old Product Assurance Scheme. The need to present policies has been removed but this requirement is now included in the higher-level Certified Sanitisation Software Vendor scheme and verified by a physical audit at the software house itself. Within Product Assurance 2023, the sample size of hard drives and solid-state drives has been expanded such that all interface types are now included and there is a new command set verification test included which is detailed below.

Including Command Set Verification

There are sanitisation specifications such as NIST SP 800-88 and IEEE 2883 which specify particular command sets to be issued to storage media to execute a feature of that storage media. The command set verification part of the Product Assurance 2023 evaluates how a presented piece of software meets specific parts of sanitisation standards / guidelines and also performs forensic data recovery to confirm that the command had the required outcome.

As example could be the verification of how a piece of software meets NIST 800-88 clear and purge commands. This certification would be presented by media type and by interface as well as assessing additional requirements for verification and creation of records.

The Product Assurance 2023 scheme is presented as an independent third-party certification which offers greater assurance for organisations who are using the software concerned, or who are building a specification for what products are to be used on their behalf when sanitising media.

Certification is achieved by:

  • Analysing the command sets which are issued by the software by media type and interface.
  • Analysing against both purge and clear.
  • Assessing whether the commands are supported by the media and if not what the software does in those instances.
  • Reviewing how verification is carried out.
  • Reviewing how records are created and ensuring the information they contain meets the specific Standard / Guideline requirements.
  • For each media and interface type, a level 2 data recovery attack is carried out in an attempt to recover data.

To find out more email adisarc@adisa.global