Highlights from the November 17, 2021 webinar, hosted by Amy Reynallt, Manager, HBK Manufacturing Solutions, and featuring Jennifer Lamar, CEO, and Kevin Lamar, VP of Business Development, Northern Shore Services.
Businesses need to develop and maintain a policy for disposing of and destroying obsolete data, and often, the devices used to create and store that data. The webinar focused on data disposal and destruction techniques.
• Northern Shores Services offers an array of solutions to organizations looking for a reliable and secure way to sanitize their unwanted media. Provides third-party data disposal and destruction services including polices and procedures for identifying and destroying obsolete data, and where necessary, data devices. Services are provided onsite or off-site, and include auditable reporting, compliance, and secure data destruction.
• Services include Internal data destruction and policies, including: data erasure, physical destruction and audit-defensible reporting
– Recycling IT assets to comply with internal IT replenishment projects and polices for end-of-life equipment
– Secure, on-site service for any or all facilities
• Data destruction/media sanitization defined: the process of eradicating data found on storage media, either by destroying the media itself or by rendering the data inaccessible.
• Case study: Morgan Stanley’s $60 million Office of the Comptroller of the Currency (OCC) civil penalty for failure to exercise proper oversight of the 2016 decommissioning of two wealth management data centers:
– The bank failed to effectively evaluate or address risks associate with its hardware
– It neglected to adequately assess the risk of subcontracting the decommissioning work.
– It lacked adequate due diligence in selecting a vendor and monitoring its performance.
– There were deficiencies in maintaining appropriate inventory of customer data stored on the decommissioned hardware.
– The OCC found the deficiencies constituted unsafe or unsound practices and resulted in noncompliance with “Interagency Guidelines Establishing Information Security Standards.”
– Downstream vendors included three players, one of which provided a certificate of indemnification falsely described as certificate of destruction. The data mismanagement came to light when a buyer of the old devices found Morgan Stanley data on the storage devices he purchased. Businesses must be sure their providers are doing what they say they are doing.
• It’s important to know your data inside out and how to protect it.
• Exposure to data issues are often related to:
– The introduction of new technology
– Required upgrades to existing equipment
– Changes in staffing levels and office locations
– Compliance with corporate IT policy revisions
– Revisions to business models based on industry regulations
• Benefits of data destruction and asset recycling:
– Freeing up digital space
– Removing outdated IT assets
– Eliminating environmental and safety concerns associated with storage of old IT assets
– Security: prevent a potential data breach by destroying old information
– Reducing the time spent securing old data and maintaining obsolete inventory
– Convenience: can choose destruction onsite or offsite at vendor’s location
• Data no longer needed often becomes more vulnerable to theft.
• File deletion, formatting, and resetting do not remove actual data, only the references to it.
• According to the National Institute of Standards and Technology’s “Guidelines for Media Sanitization” in publication 800-88 revision 1, it’s the responsibility of the information owners to identify data categories and confidentiality levels, and determine the level of media sanitization required for their organization.
• To determine the appropriate method for sanitization, the organization should:
– Categorize the security level of the information
– Assess the media on which it’s stored
– Evaluate the risk to confidentiality
– Determine the future of the media
• Do a cost-benefit analysis before determining your method of sanitization, but have to choose the most effective.
• Considerations when making a data sanitization decision:
– Type and storage of media: Optical CDs, magnetic hard drives, flash-memory SSDs require different methods of physical destruction. More time is required to erase or overwrite a drive with more information. You must have access to the equipment and software needed to erase or destroy. Such as Security/confidentiality of the data that the storage media contains, Physical location of the media and Personnel performing the sanitization: internal or external contractor
– Volume of media to be sanitized
– Availability of sanitization equipment
– Training level of personnel performing sanitization
– Time required for data sanitization
– Total cost of sanitization: equipment, software, training disposal
• Additional considerations:
– Control of media – Data protection level: One organization can have several different data protection policies.
• Actions taken to sanitize media include clear, purge, and destroy.
– Clear: apply logical techniques to sanitize data in all user-addressable storage locations for protection against non-invasive date recovery.
– Purge: applies physical or logical techniques that render targeted data recovery infeasible using state-of-the-art techniques.
– Destroy: renders targeted data recovery infeasible using state-of -the -art lab techniques and results in the inability to use the media for data storage.
– Choose the action based on what eventually, ultimately preserves the confidentiality of the data.
• Documentation: Once sanitization is complete, a “certificate of media disposition” should be created—a hard copy or an electronic record. It should include:
– Media information: manufacturer, model, type, serial numbers etc.
– System information, such as property tag or ID numbers
– Sanitization description (clear, purge, or destroy)
– Sanitization method (degauss, erasure, crushing, etc.)
– Verification method (full, spot check, et.); if you use an erasure method, it must be verified in some way
– Date, time, and location
– Name, title, and signature of person performing the sanitization
• NIST 800-88 appendices are useful in preparing for developing your data destruction policy. Components to include in your policy:
-purpose/scope/objective
-regulatory requirements of your industry
-data categories and confidentiality levels
-roles & responsibilities
-media control
-media destination
-file backup requirements
-data destruction methods
-documentation
-policy enforcement
-incident reporting
• A sound data destruction policy should address the creation and maintenance of an inventory list to track all data storage devices.
• Disposal/destruction techniques:
– Data wiping or overwriting: replacing data stored by writing meaningless data across the storage area
– Physical destruction: degaussing subjects media to an intense magnetic field with the intent of eradicating the data
– Shredding – using a strip-cut or cross-cut shredder to a specified particle size
– Crushing – physically crushing the media to render it unusable.
• It is important to know that data is everywhere and need to take a second look at how it is destroyed before disposing it.
Speak to one of our professionals about your organizational needs
"*" indicates required fields