A Big Lesson From a $60M Fine for Poorly Performed Data Disposition

Posted by Frank Milia

Oct 13, 2020 9:59:39 AM

Last week the Department of the Treasury OCC levied a $60 million dollar fine to Morgan Stanley for data breaches that occurred from poorly managed IT asset disposition projects associated to data center decommissioning activities in 2016 and additional disposal events in 2019. 

In a recent consent order the OCC describes that the bank “…failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices.”

The responsibility to stop unauthorized access to protected data is disproportionately the responsibility of the data controller, in this case Morgan Stanley. Detailing all of the security controls required to lower risk would not be possible in this short article. In reality there is no one tool, vendor, process, method, policy, or procedure that one could point to that would have guaranteed the bank hundred percent security. 

Secure management of data disposition, especially for large enterprises, requires a robust program that includes policies, procedures, assigned accountability, employee training, contracting and vendor due diligence requirements, and a process for strict oversight of activities all working together to minimize the risk of exposure and regulatory non-compliance.  

From a reading of the previously mentioned description from the OCC it would be easy to characterize Morgan Stanley’s management of these data disposition activities as a failure by every measure.   However, it is the following accusation by the OCC that most likely explains why the fine is so high “The Bank failed to exercise adequate due diligence in selecting the third party vendor engaged by Morgan Stanley and failed to adequately monitor the vendor’s performance”.   

Due Diligence on Black-Golden Watch Face with Closeup View of Watch Mechanism.

Typically, regulatory fines are reduced when the organization under investigation is able to prove that reasonable steps to protect private data were taken. In other words, mistakes will happen but if an organization can display that they have formal and documented data disposition procedures that includes vendor due diligences the penalties for an incident will likely be reduced.

At this time Morgan Stanley has yet to disclose the vendors utilized to perform these services. Considering the OCC’s claims that the bank failed to perform due diligence and oversight of the vendor’s practices it is likely that Morgan Stanley is unable to effectively shift the liability and financial responsibility to the contractor. 

Although there is no legal mechanism for Morgan Stanley to be indemnified of their regulatory obligations, they theoretically would be able to recoup some of the financial impact of the fine if there were well written contracts, documented performance testing and due diligence records. 

Performing documented due diligence in vendor selection and ongoing auditing of a vendor’s practices will significantly reduce the financial impact of breach or other regulatory non-compliance by reducing fines and ensuring an effective method for suing vendors that break contractual obligations. Vendor due diligence should include documented investigation of a vendor’s policies, procedures, methods, breach notification systems, training programs, third party certifications and key management system protocols at selection and at minimum on an annual basis. 

In the most simplest terms it appears that Morgan Stanley did little to deter these breaches from occurring, but the impact of the breaches were multiplied by the inability to establish that any care was taken in their approach to data disposition and vendor management. 

Every organization is at a risk of data breach or regulatory fine associated to poor data disposition. The only way to both minimize the likelihood of an exposure and reduce the financial impact if one would to occur is by investing in your data disposition program and ensuring internal and external stakeholders are regularly tested, results are documented, and corrective actions implemented when applicable. 

 

Looking to reduce your risks from IT asset disposal?

Get the Best Practices Guide Today:

Learn More

 
more

Topics: IT Asset Disposal, data breach, education & tips, IT Asset Disposition, Risk Management

Maintaining Rational Policies in the Face of Failure

Posted by Frank Milia

May 29, 2019 2:48:09 PM

When we fail in life, especially at our security, we tend to overreact and make quick and sweeping changes.  If you leave your door open and your home is burglarized, moving out of your neighborhood or installing a state of the art security system may be an irrational response compared to locking your doors from now on. When implementing changes, it is important to address the specific cause of the failure and not let fear of reoccurrence cloud the way you make improvements.         

When organizations uncover regulatory data protection non-compliance or suffer the consequences of an outright data breach, many times they struggle to implement corrective actions that address the root cause of the issue or otherwise implement new policies that can adversely affect the business and fail to focus on addressing the deficiency head on.   Security, IT, and compliance stakeholders need to stay focused on resolving the cause of an issue and not be distracted by fear or be rushed into implementing hastily designed corrective actions.  

Policies - Red Ring Binder on Office Desktop with Office Supplies and Modern Laptop. Business Concept on Blurred Background. Toned Illustration.

To illustrate this point I will provide a common scenario I have witnessed from clients that I provide data disposition and regulatory compliance consulting as well as IT asset disposition and data destruction services to.       

Scenario:

A large financial institution has internal policies and procedures to perform erasure of hard drives prior to performing lease returns and disposal of retired assets.  The firm is notified that a shipment back to a vendor contained drives that were not wiped. The drives were encrypted so at the time of this event there were no regulations in the USA that would consider this event a breach requiring disclosure.  However, the company’s internal policies and procedures were not followed therefore an investigation and corrective action was required by internal stakeholders. 

The company identified the risk was from allowing erasure and reuse of the hard drives and implemented a new policy and procedure that all hard drives would now have to be physically destroyed before disposal or lease return.  Although one could argue that this approach makes sense considering the high cost and risk of a data breach, it is actually a flawed response that does not address the root cause of the non-conformity (an employee’s actions failed to adhere to company policy). 

When I analyze and investigate events like this, common root causes tend to include:

  1. Technician(s) failed to erase and document erasure as designed and provided in existing management system
  2. Management system failed to assign accountability of such events
  3. Technician(s) not properly trained or no documented training sessions found
  4. Routine audit of applicable work not practiced
  5. Process for erasure and equipment returns failed to have redundancies, spot checks, and/or verification steps to ensure compliance
  6. Inadequate managerial oversight or approval system in place for data destruction and return management
  7. Detailed processes and work flow procedures poorly documented or none in writing found

The client’s response to require on-site destruction of all media does not address any of the issues noted above.  The firm can change the method, destruction tool, and policy but without addressing the core deficiencies in the management system, procedures, training, and redundancies the threat of a non-conformity or event that leads to a data breach remains. 

Not only has the firm made a policy change that will cost millions of dollars in lost revenue from resale and increased lease return fees but they have also done little to reduce the risk stemming from the lack of accountability and the imperfect system that lead to a technician shipping a device with live data still residing on the hard drive.   This same flawed system left unchanged, other than method of destruction, will likely lead to a technician again shipping a device with a hard drive (not wiped or physically shredded).   

Security is too often judged as a consensus of feelings. Many times even the most sophisticated organizations and experienced practitioners will make irrational policies based on how a policy makes them feel.  In this case although the financial firm’s policy to destroy the drives does not address the root-cause, it does make them feel more secure now that all drives will be destroyed.  Organizations incorrectly choose abrupt and elementary policy changes rather than more complicated procedural updates that require greater oversight and investment but will more effectively address deficiencies.          

As security professionals we need to analyze the logical and empirical security deficiencies, prescribe solutions based on the root causes, assign accountability and test and evaluate our systems and programs all the while taking care to prove the value of such investment to the business’s stakeholders.  When changing policies in the face of failure, it is important to remove fear from the equation and focus on addressing the problem with a clear mindset. 

more

Topics: education & tips, IT Best Practices, IT Management, Risk Management, Information Security

Networking Device Erasure and Data Destruction

Posted by Frank Milia

Sep 26, 2014 8:30:00 AM

Storage devices and electronic media are not the only devices that require erasure and data destruction service levels in order to eliminate risks of causing a breach from an equipment disposition. Networking devices, routers, and switches hold sensitive information that in the wrong hands can be used to find entry to or otherwise compromise a network’s security.

The good news is that the major manufacturers have built in acceptable erasure methods into various networking devices and the process is easy to navigate.

At IT Asset Management Group we utilize the best methods of clearing a device depending on the manufacturer’s instructions and tools available. If a device cannot be reset to factory default, configuration cleared, NVRAM erased, VLAN cleared or any other information fails to erase with 100% certainty the device is quarantined and then physically destroyed.

The exact method of erasing networking devices will be specific to the manufacturer and model of the hardware but the following is broad overview of the process.Networking_DevicesMethods for Networking Device Erasure 

  1. Switches - Clear all configuration files including startup and running configuration files. Erase the NVRAM file system and removal of all files. Reload the switch to factory default. Clear all VLAN information created on switch. Confirm device has been cleared.
  2. Routers - Reset password and device to factory default.   Using Register Configuration write erase and set device back to factory default. Confirm device has been cleared.  

A sample of the type of manufacturer provided instructions used by ITAMG can be found below.

Common Switch: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2900-xl-series-switches/24328-156.html

Common Router: http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-123-mainline/46509-factory-default.html

Networking Device Destruction

Any device that cannot be reset and confirmed to no longer contain any user created configurations or data should be physically dismantled, shredded, and recycled for commodity material in accordance with all local, state, and federal laws. ITAMG’s data destruction services are developed in accordance with the DoD 5220.22-M standards and NIST 800-88 Guidelines for Media Sanitization.

Looking for more information on running a secure data destruction program? 

Download 5 Data Destruction Tips

more

Topics: data security, data destruction, data breach, education & tips, data sanitization

SSD Secure Erasing Methods and OEM Instructions for Data Destruction

Posted by Frank Milia

Nov 21, 2013 7:45:00 AM

When purchasing and utilizing solid state drives (SSD) end-of-life management should be seriously considered.  Data sanitization prior to disposition or re-deployment for a SSD differs from a traditional hard disk drive (HDD). SSDs store, write, and re-write data differently than spinning hard disk drives, and require a more stringent approach to achieve secure data erasure.

In a PC Magazine article SSD vs. HDD: What's the Difference? more in depth details are SSD_Guygiven for the differences between spinning HDD and the interconnected flash memory chip data storage technology of the SDD.

A software solution that is typically used to over-write data on HDDs, even with multiple passes, may not be a proper data destruction solution for SSD.  Some common software erasure tools may not consistently access all storage areas on the SSD, and as a result blocks of data can be left behind after binary wiping solutions are utilized.

The various manufacturers of SSDs offer their own solutions for SSD erasure. These built in processes are important to understand before purchasing SSD as they will need to be performed on each drive at time of disposition or reuse.  All secure SSD erasure procedures should be followed up with manual confirmation of success and regular random quality assurance from upper management, as well as physical destruction procedure where failure to wipe or security policy otherwise dictates.

Deguassing solid state drives is not a secure option as SSDs do not use magnetic storage.  

 

It is advisable to have a good understanding on the process of each secure erase instructions from the various OEM utilities:    

 

Seagate: http://www.seagate.com/files/www-content/product-content/_cross-product/en-us/docs/how-to-ise-your-drive-tp-644-1-1211-us.pdf

 

Kingston:  http://www.kingston.com/us/community/articledetail?ArticleId=10 

 

Samsung SSD Magician Manual (Secure Erase): http://www.xander.com.hk/product/product_manual/prod_manual_500.pdf

 

Intel: http://www.intel.com/support/ssdc/hpssd/sb/CS-034294.htm

 

Corsair: http://www.corsair.com/applicationnote/secure-erase

 

Crucial: http://forum.crucial.com/t5/Solid-State-Drives-SSD-Knowledge/SSDs-and-Secure-Erase/ta-p/112580

 

Feel free to post other instructions for major SSD manufacturers and ITAMG will continue to update this list.

 

 
Download ITAMG's Free Guide: 5 Best Practices for Data Destruction

 

5 Data Destruction Tips

 

more

Topics: data destruction, education & tips, hard drive shredding, IT Asset Disposition

Three Tips for Hiring an IT Professional

Posted by Ellen Clarke

Nov 19, 2013 10:00:00 AM

Hiring an IT professional can be tricky. While technical skills are the focus, considerations must be given to other attributes and experiences. The interview is the time to ask the targeted questions yielding critical information needed to make an informed decision.

 

Our hiring managers at ITAMG, an IT asset disposition and data destruction firm, have put together three important tips when hiring an IT professional.

1.     Have your interview questions prepared. A starting point can be found in Careerbuilder's Top Interview Questions. Your questions must be thoughtfully prepared to cover a variety of subjects. While asking about relevant experience is critical, other questions about interpersonal skills must be covered, such as, “how do you handle conflict, and provide an example of how you handled a difficult situation at your last job.

2.     Provide an atmosphere where the candidate feels free to open up. Greet the candidate with a firm handshake and a smile. Make small talk at the beginning of the interview. Never lead the candidate. Questions like, “Well you didn’t have any problems with your last manager, did you?” does not allow the possibility of an honest answer. Instead go with this, “In your last position did your manager give you a lot of freedom or was she more of a micro manager? How did you like working under those conditions?”

3.     Consider where you need this individual to be one year down the line. While not every IT professional will have the charisma of the best salesperson at your company, you don’t necessarily need him/her to. You do need someone, though, that can work with your team. Additionally, if you are looking to groom someone into a supervisory role, consider if this individual’s interpersonal skills will lead to success or failure.

IMG_1108

 

When hiring an IT professional, technical skills will always be the main focus. Through proper interview preparation one can take steps to identify these types of skills in a candidate. Never leave the interview without determining if the candidate has the interpersonal skills needed for the position. Ask your questions, and let the interviewee do the majority of the talking to ascertain if this candidate will succeed in your firm.

 

 

Download the ITAMG Inventory Template to Receive Highest Returns on Surplus IT Equipment

 

Tips & Inventory Template

 

more

Topics: ITAD, education & tips, Management Tips, IT Best Practices

   

ITAD Guidance

Stay informed on important IT asset management topics.

Our posts focus on IT management, data security, and computer hardware from the unique perspective of IT asset disposal experts.

Subscribe and you will stay on top of:

  • IT procurement trends and analysis
  • Data security methods and best practices
  • Compliance tools and updates

Subscribe to Email Updates

Responsible Recycling logo

Recent Posts

Visit our Main Site at: www.itamg.com