Product Assurance (PA)
Using rigorous testing to verify the commands that the software sends to different media types and interfaces.
- Verification of compliance to NIST 800-88 and/or IEEE 2883 Clear and Purge for supported media and interfaces.
- Confirmation of software behaviour when a drive that does not support the required commands is presented for erasure.
- Data recovery techniques applied provide evidence that the product offers greater assurance than Product Claims Test, with commands confirmed and outcomes verified.
- Compliance with sanitization requirements laid out in NIST 800-88 and/or IEEE 2883 by interface type and media type within the test scope.
- Certified products under Product Assurance offer a higher level of assurance, moving from trust to confidence in their functionality.
What is a product assurance test?
A product assurance test offers your customers confidence that the product under evaluation meets the requirements of recognised guidelines and Standards for example, NIST800-88 and IEEE 2883, such that the outcomes of its use can be assured.
The core principle of this test is that user data
must be rendered irretrievable using compromised methods aligned to particular threat actors.
This is a process whereby a laboratory attack is made on a sanitised piece of media to attempt to recover data using sophisticated techniques to mirror potential threat actors. We use this approach to verify the viability of products for use as data sanitisation tools is risk based.
How does ADISA measure threat?
To introduce structure into this process and to allow comparisons to be made, ADISA utilises a Threat Matrix which allows organisations to assess whether the testing undertaken on a particular product is sufficient for their purposes.
The threat matrix defines three test levels which in turn define a series of capabilities that a threat actor/agent may wish to bring against an asset either by direct access to the asset or access via its location within a device.
What is the difference between product claims test and product assurance test?
A product claims test is a claim is made about the suitability of a data sanitisation product to render the data on a target set of media irretrievable.
Product assurance tests sanitisation products against recognised standards NIST 800-88 and IEEE 2883.
While a product claims test ensures that the outcome of the sanitisation process is inline with the claim, product assurance tests the process as well as the outcome, analysing the specific sanitisation commands sent by the test media to the target device.
