Article Authors
Highlights from the September 23, 2021 webinar in the HBK Risk Advisory series, “Assessing Cybersecurity Risks,” hosted by William J. Heaven, CPA/CITP, CISA, CSCP, Senior Manager, HBK Risk Advisory Services, and featuring Jennifer Lamar, CEO, and Kevin Lamar, VP of Business Development, Northern Shore Services.
Businesses need to develop and maintain a policy for disposing of and destroying obsolete data, and often, the devices used to create and store that data. The webinar focused on data disposal and destruction techniques.
• Northern Shores Services provides third-party data disposal and destruction services including polices and procedures for identifying and destroying obsolete data, and where necessary, data devices. Services are provided onsite or off-site, and include auditable reporting, compliance, and secure data destruction.
• Data destruction/media sanitization defined: the process of eradicating data found on storage media, either by destroying the media itself or by rendering the data inaccessible.
• Case study: Morgan Stanley’s $60 million Office of the Comptroller of the Currency (OCC) civil penalty for failure to exercise proper oversight of the 2016 decommissioning of two wealth management data centers:
– The bank failed to effectively evaluate or address risks associate with its hardware
– It neglected to adequately assess the risk of subcontracting the decommissioning work.
– It lacked adequate due diligence in selecting a vendor and monitoring its performance.
– There were deficiencies in maintaining appropriate inventory of customer data stored on the decommissioned hardware.
– The OCC found the deficiencies constituted unsafe or unsound practices and resulted in noncompliance with “Interagency Guidelines Establishing Information Security Standards.”
– Downstream vendors included three players, one of which provided a certificate of indemnification falsely described as certificate of destruction. The data mismanagement came to light when a buyer of the old devices found Morgan Stanley data on the storage devices he purchased. Businesses must be sure their providers are doing what they say they are doing.
• Exposure to data issues are often related to:
– The introduction of new technology
– Required upgrades to existing equipment
– Changes in staffing levels and office locations
– Compliance with corporate IT policy revisions
– Revisions to business models based on industry regulations
• Benefits of data destruction and asset recycling:
– Freeing up digital space
– Removing outdated IT assets
– Eliminating environmental and safety concerns associated with storage of old IT assets
– Security: prevent a potential data breach by destroying old information
– Reducing the time spent securing old data and maintaining obsolete inventory
– Convenience: can choose destruction onsite or offsite at vendor’s location
• According to the National Institute of Standards and Technology’s “Guidelines for Media Sanitization” in publication 800-88 revision 1, it’s the responsibility of the information owners to identify data categories and confidentiality levels, and determine the level of media sanitization required for their organization.
• To determine the appropriate method for sanitization, the organization should:
– Categorize the security level of the information
– Assess the media on which it’s stored
– Evaluate the risk to confidentiality
– Determine the future of the media
• Do a cost-benefit analysis before determining your method of sanitization
• Assume that if you don’t know what type of data you have or where it’s stored, you’re exposed.
• Optical CDs, magnetic hard drives, flash-memory SSDs require different methods of physical destruction. More time is required to erase or overwrite a drive with more information. You must have access to the equipment and software needed to erase or destroy.
• An important factor in an organization’s sanitization decision is its responsibility for control over and access to its media.
• One organization can have several different data protection policies.
• Managers involved in developing a policy to accomplish information security include the CIO, the information system owner, an information steward, and a senior agency information security officer.
– A computer/information system security manager performs daily security implementation and administrative duties and coordinates security efforts.
– A property management officer ensures accountability for sanitizing media and devices to be redistributed internally, donated, or destroyed.
– A records management officer advises data owners of retention requirements.
– A privacy office provides guidance regarding privacy issues associated with the disposition of sensitive information. – Users must know and understand the confidentiality of the information associated with their assignments.
• Actions taken to sanitize media include clear, purge, and destroy.
– Clear: apply logical techniques to sanitize data in all user-addressable storage locations for protection against non-invasive date recovery.
– Purge: applies physical or logical techniques that render targeted data recovery infeasible using state-of-the-art techniques.
– Destroy: renders targeted data recovery infeasible using state-of -the -art lab techniques and results in the inability to use the media for data storage.
– Choose the action based on what eventually, ultimately preserves the confidentiality of the data.
• Documentation: Once sanitization is completed, a certificate of media disposition should be created—a hard copy or an electronic record. It should include:
– Media information: manufacturer, model, type, serial numbers etc.
– System information, such as property tag or ID numbers
– Sanitization description (clear, purge, or destroy)
– Sanitization method (degauss, erasure, crushing, etc.)
– Verification method (full, spot check, et.); if you use an erasure method, it must be verified in some way
– Date, time, and location
– Name, title, and signature of person performing the sanitization
• The format of the documentation is not as important as the content.
• Disposal/destruction techniques:
– Data wiping or overwriting: replacing data stored by writing meaningless data across the storage area
– Physical destruction: degaussing subjects media to an intense magnetic field with the intent of eradicating the data
– Shredding – using a strip-cut or cross-cut shredder to a specified particle size
– IT asset recycling – domestic recycling includes sorting, dismantling, mechanical separation and recovery of valuable materials
• Consumer data-bearing devices – if you dispose of, say, your smart TV, ensure your data is not still stored in it.
• A major hurdle to getting started on the project is identifying the information on the drive. Look at the age of the information and determine the type of information stored as a first step.
"*" indicates required fields