Highlights of the August 23, 2023 edition of the HBK Risk Advisory Services monthly webinar series hosted by William J. Heaven, CPA/CITP, CISA, CSCP, Senior Director, HBK Risk Advisory Services, and this episode featuring Jennifer Lamar, CEO, and Kevin Lamar, VP Business Development, Northern Shores Services.
Watch On-Demand.
Northern Shores Services offers the option of having data destroyed on-site or off-site. They erase data, physically destroy data and devices, and provide reporting.
The Office of the Comptroller of the Currency (OCC) assessed Morgan Stanley a $60 million civil penalty. The bank hired a moving company instead of a data destruction firm, and it was determined that the bank failed to evaluate or address risks associate with the decommissioning of its hardware. Because they didn’t specify that drives should be erased, the drives were sold on the secondary market, and purchasers found Morgan Stanley data, including client’s personal data.
Problems in past years included:
Deleting files doesn’t get rid of the data.
Some copiers have data bearing drives.
But also, devices like your refrigerator and vehicle now house data.
Factors that drive the need for data destruction and IT asset recycling:
Changing out to new technology in the marketplace
Upgrading existing equipment
Changes in staffing levels and office locations
Compliance with corporate IT policy revisions
Revisions to business models based on industry regulations
Assessing data and asset recycling. Consider as issues: security, space, time, conditions and convenience
Consideration: Cybersecurity measures are used to protect data during its active lifecycle, but data no longer needed often becomes more valuable to data thieves.
Terms and definitions
Media vs. data: media, the physical platform; data, the actual information.
Data destruction: the process of removing data by rendering it inaccessible
Media destruction: when media is destroyed to destroy the data it contains
Data wiping: the process of removing data from electronic storage media by removing meaningless data and leaving media intact and operational
HDD: hard drive with spinning storage platters
SSD: solid-state drive with no moving parts
Flash media: simple storage media using chips instead of spinning platters
Developing Your Policy
NIST Special Publication 800-88 Revision 1 (U.S. Department of Commerce)
Provides general information on acceptable media sanitization methods
Objective is to assist with decision-making when media requires disposal, reuse, or is leaving the control of the organization
Information owner is responsible for identifying data categories and confidentiality levels; determining the level of media sanitization required for their organization
To decide appropriate method for your organization:
Categorize the security level of the information to be disposed of
Assess the media on which it’s stored
Evaluate the risk to confidentiality (extremely important)
Determine the future of the media: donate, reuse, or destroy
Considerations for determining what to do with media assets
Determine the type and storage capacity of the media.
Security and confidentiality: What kind of information is on the drive?
The physical location of the media: Is it in a secure, controlled area?
Personnel performing the sanitization: Do you have the personnel or do you need to outsource?
Volume of media to be sanitized
Availability of equipment for sanitization
Training level of the personnel: Are they familiar with the process and have the time to tackle the task (large capacity hard drives can take hours)?
Total cost of the sanitization process
Is any particular industry more at risk? Not the industry specifically, but leadership’s position on destroying or retaining data.
Consumers need to be particularly careful disposing of smart TVs.
Additional considerations
Responsibility for control over and access to the media
Data protection levels: varying data protection policies for different company departments
Senior management is ultimately responsible for creating and maintaining an effective information security program. But data end users must know the confidentiality of the information associated with their roles.
Data destruction techniques:
Clear: applies to logical technique to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques
Purge: applies to physical or logical techniques that render storage data recovery unfeasible outside of state-of-the-art laboratory techniques
Destroy: rendering target data recovery unfeasible using state-of-the-art laboratory techniques
Factors in policy decision–making process:
Start by identifying the type of data stored on a device.
Choose efficient techniques that ultimately preserve the confidentiality of the data.
Purge or clear may be more approach than destroy when facing environmental concerns.
Risk decision should include the consequence if information is retrieved, the cost of information retrieval, and the cost of sanitization.
NIST 800-88 requires documentation and maintaining “certificates of media disposition,” including sanitization method and verification method. The amount of information required is based on the confidentiality level of the data sanitized.
Three NIST appendices to help you get your policy in place:
Appendix A specifies the minimum recommended sanitization techniques to clear, purge or destroy various media.
Appendix B defines terms used in the guide.
Appendix G provides a sample certificate of sanitization for documenting an organization’s sanitization activities.
Practical applications:
Sound data destruction policy should address the creation and maintenance of an inventory list to track data storage devices.
Inventory should include items such as device type, manufacturing, model, serial no., lifecycle state, location, and ownership details.
Devices can be desktops laptops, tables, servers, routes and switches, smart phones, printers/canners;/copiers, hard drives, tapes, black media, etc.
Data wiping/overwriting:
Advantages: great audit trail potential, can be very secure, allows for reuse
Disadvantages: time consuming, can be complex and require more employee training than physical destruction methods, and SSDs may be subject to wear-leveling
Physical Destruction: Degaussing (subjecting media to magnetic field with intent of eradicating data)
Advantages: clean, simple to execute, most tools are portable
Disadvantages: no visual feedback, reporting limited, QC requires forensic analysis, some equipment requires periodic calibration to manufacturer specifications
Physical Destruction: Shredding
Advantages: simple to execute, strong visual confirmation, widely accepted
Disadvantages: a dirty process (have to dispose of the waste), less portable
Physical Destruction: Crushing (typically with a bending wedge or conical punch)
Advantages: portable, simple to execute, visual confirmation, surprisingly secure, minimal employee safety risk
Disadvantages: limited throughput, marginal reliability, material recovery sometimes difficult
Note: Get input on needs from different departments to combine into an overall company data destruction policy.
Takeaway: Popularity of SSDs has thrown wrinkle into data destruction policy as they require very specific physical destruction
