What Is the NZSIT 402 Method?

Details on the NZSIT 402 Data Wipe Method

Picture of a hand erasing equations on a chalkboard
© Jeffrey Coolidge / Stone / Getty Images

NZSIT 402 is a software based data sanitization method that's used as the standard wipe method by the New Zealand government and any contractor or consultant that provides services to the government.

Erasing a hard drive using the NZSIT 402 data sanitization method will prevent all software based file recovery methods from lifting information from the hard drive and is also likely to prevent most hardware based recovery methods from extracting information.

I keep a list of file shredder and data destruction programs that can be used to overwrite existing information on a hard drive or other storage device.

This sanitization method is oftentimes written with a hyphen like NZSIT-402.

What Does the NZSIT 402 Wipe Method Do?

The NZSIT 402 data sanitization method is typically implemented in the following way:

  • Pass 1: Writes a random character and verifies the write

This means that, like the Random Data and Gutmann method, NZSIT 402 just writes a random character over every piece of information on the device. These are different than other wipe methods like Write Zero, which just uses zeros.

To pass the NZSIT 402 policy defined by the New Zealand government, the software must also check to make sure that everything has actually been overwritten, which is the "verify" part of the method. This is clearly stated in the PDF file linked below: "When sanitizing media, it is necessary to read back the contents of the media to verify that the overwrite process completed successfully."

Other data sanitization methods that are extremely similar to NZSIT 402 include ISM 6.2.92, HMG IS5, CSEC ITSG-06, NAVSO P-5239-26, and RCMP TSSIT OPS-II. Each of these methods writes a random character and then finishes by verifying the write.

It's possible that a program that uses NZSIT 402 will let you make more than one pass over the drive, or it will do so automatically, like what you see when the Pfitzner method is used. This just means that it will do the exact same thing one more time (or 10 more times, etc.). Additional passes just mean that a random character (or whatever character the method uses) is written over an already-randomized piece of information.

If the software you're using doesn't support multiple passes, you could simply run the method again as many times as you like. This is true for NZSIT 402 as well as any other data sanitization method that you're using.

Programs That Support NZSIT 402

The only programs I know of that explicitly state that they use the NZSIT 402 method to erase data is FastDataShredder and Extreme Protocol Solutions' XErase software, but only the trials are free to use.

However, there are several free programs that support erasure methods that both write random characters to the drive and then verifies that the drive has been overwritten. Eraser, Disk Wipe, WipeFile, Privazer and Delete Files Permanently are a few.

These programs and most other data destruction programs provide the ability to use more than just one data sanitization method, so you can usually use them to run other data wipe methods too.

Is NZSIT 402 Better Than Other Data Wipe Methods?

The answer to this question depends entirely on what you want to use the data sanitization method for, and if there are any requirements that must be met when you're erasing the data. For most people, however, NZSIT 402 is just as good as any other method.

Since data recovery programs most likely can not recover any data from a drive that's been overwritten with random data, you're equally safe using NZSIT 402 versus any other similar wipe method, like the ones mentioned above.

You can be confident that the data has been appropriate overwritten so long as the software reports back that the verification finished successfully. This is true for any wipe method, not just NZSIT 402.

However, something else to consider is standards. If you're erasing the hard drive for business purposes or some other reason in which a particular wipe method must be used, don't settle on something that isn't approved.

For example, if you're told that you have to have the data overwritten with more than one pass, you're better off using a different random data wipe method that actually utilizes multiple passes.

More About NZSIT 402

The NZSIT 402 (plus 400 and 401) sanitization method was originally defined in the New Zealand Security of Information Technology (NZSIT) manual. The latest version of NZSIT 402 replaced the previous policy in 2010 and has been defined in the New Zealand Information Security Manual (NZISM).

You can download the newest publication in the PDF format from the New Zealand Government Communications Security Bureau (GCSB) website. The last version was updated in July of 2016 and replaces every previous manual.

There are two parts to the manual including a change register that details the most recent changes to the policies. You can find the change register here, which documents the changes from NZISM November 2015 v2.4 to NZISM July 2016 v2.5.

You can find both parts to the older manual (v2.4) on the Protective Security Requirements page of the New Zealand government website, here and here.