As a NAID Certified Secure Destruction Specialist my goal is to offer information security and compliance professionals objective advice backed by experience, industry best practices and a keen knowledge of the applicable regulatory requirements. 

When working with organizations of all sizes one of my consistent challenges is getting various stakeholders to openly and honestly evaluate their data destruction and disposition program to identify blind spots and allow me the opportunity to identify areas for improvement and risk mitigation. 

Below are some of my questions to open up a conversation with folks who are willing to perform a self-evaluation and begin the process of assessing their data disposition practice.

1. Do we have a contract in place with our current downstream data disposition providers?
   a. Does this contract include breach notification requirements?
   b. Does this contract include definitions of data protection service levels and data destruction deliverables?
2. Do we use multiple downstream data disposition providers (example: e-Waste goes to a recycler but media goes to a document destruction company)?
   a. If so, how do we control what vendor is liable if a breach occurs? 
3. Have we formally vetted our downstream data disposition providers?
   a. Have we evaluated and vetted third party certification(s) that our provider holds?
   b. Have we documented our vendor’s policies, procedures, downstream charts, and third party certificates?
   c. Are we annually checking in on updates from vendor for policies, procedures, downstream charts and third party certificates?
4. Do we have written policies and procedures for our data protection program?

a. If we perform data destruction internally are the processes formally documented including confirmation of results?
b. Do we have an assigned person in charge of compliance?
c. Do we have formal training for employees and documentation of such training?
d. Do we have employee acknowledgement in writing for acceptance of data security responsibilities?

I urge everyone to ask these questions and evaluate the answers that come back.  

Once these answers are provided, we can provide suggestions to ensure better security or regulatory compliance.  If the answers all seem satisfactory, there is always an opportunity to dig deeper to find where other improvements can be made and to make sure the organization is documenting the program's success effectively.

Data security and data protection compliance is a moving target.  Evaluation and audit of your data disposition program should be on a regular schedule, including at minimum an annual review of any of your contractors or internal operators.

When we fail in life, especially at our security, we tend to overreact and make quick and sweeping changes.  If you leave your door open and your home is burglarized, moving out of your neighborhood or installing a state of the art security system may be an irrational response compared to locking your doors from now on. When implementing changes, it is important to address the specific cause of the failure and not let fear of reoccurrence cloud the way you make improvements.         

When organizations uncover regulatory data protection non-compliance or suffer the consequences of an outright data breach, many times they struggle to implement corrective actions that address the root cause of the issue or otherwise implement new policies that can adversely affect the business and fail to focus on addressing the deficiency head on.   Security, IT, and compliance stakeholders need to stay focused on resolving the cause of an issue and not be distracted by fear or be rushed into implementing hastily designed corrective actions.  

To illustrate this point I will provide a common scenario I have witnessed from clients that I provide data disposition and regulatory compliance consulting as well as IT asset disposition and data destruction services to.       

Scenario:

A large financial institution has internal policies and procedures to perform erasure of hard drives prior to performing lease returns and disposal of retired assets.  The firm is notified that a shipment back to a vendor contained drives that were not wiped. The drives were encrypted so at the time of this event there were no regulations in the USA that would consider this event a breach requiring disclosure.  However, the company’s internal policies and procedures were not followed therefore an investigation and corrective action was required by internal stakeholders. 

The company identified the risk was from allowing erasure and reuse of the hard drives and implemented a new policy and procedure that all hard drives would now have to be physically destroyed before disposal or lease return.  Although one could argue that this approach makes sense considering the high cost and risk of a data breach, it is actually a flawed response that does not address the root cause of the non-conformity (an employee’s actions failed to adhere to company policy). 

When I analyze and investigate events like this, common root causes tend to include:

1. Technician(s) failed to erase and document erasure as designed and provided in existing management system
2. Management system failed to assign accountability of such events
3. Technician(s) not properly trained or no documented training sessions found
4. Routine audit of applicable work not practiced
5. Process for erasure and equipment returns failed to have redundancies, spot checks, and/or verification steps to ensure compliance
6. Inadequate managerial oversight or approval system in place for data destruction and return management
7. Detailed processes and work flow procedures poorly documented or none in writing found

The client’s response to require on-site destruction of all media does not address any of the issues noted above.  The firm can change the method, destruction tool, and policy but without addressing the core deficiencies in the management system, procedures, training, and redundancies the threat of a non-conformity or event that leads to a data breach remains. 

Not only has the firm made a policy change that will cost millions of dollars in lost revenue from resale and increased lease return fees but they have also done little to reduce the risk stemming from the lack of accountability and the imperfect system that lead to a technician shipping a device with live data still residing on the hard drive.   This same flawed system left unchanged, other than method of destruction, will likely lead to a technician again shipping a device with a hard drive (not wiped or physically shredded).   

Security is too often judged as a consensus of feelings. Many times even the most sophisticated organizations and experienced practitioners will make irrational policies based on how a policy makes them feel.  In this case although the financial firm’s policy to destroy the drives does not address the root-cause, it does make them feel more secure now that all drives will be destroyed.  Organizations incorrectly choose abrupt and elementary policy changes rather than more complicated procedural updates that require greater oversight and investment but will more effectively address deficiencies.          

As security professionals we need to analyze the logical and empirical security deficiencies, prescribe solutions based on the root causes, assign accountability and test and evaluate our systems and programs all the while taking care to prove the value of such investment to the business’s stakeholders.  When changing policies in the face of failure, it is important to remove fear from the equation and focus on addressing the problem with a clear mindset. 

Hiring an IT professional can be tricky. While technical skills are the focus, considerations must be given to other attributes and experiences. The interview is the time to ask the targeted questions yielding critical information needed to make an informed decision.

Our hiring managers at ITAMG, an IT asset disposition and data destruction firm, have put together three important tips when hiring an IT professional.

1.     Have your interview questions prepared. A starting point can be found in Careerbuilder's Top Interview Questions. Your questions must be thoughtfully prepared to cover a variety of subjects. While asking about relevant experience is critical, other questions about interpersonal skills must be covered, such as, “how do you handle conflict, and provide an example of how you handled a difficult situation at your last job.

2.     Provide an atmosphere where the candidate feels free to open up. Greet the candidate with a firm handshake and a smile. Make small talk at the beginning of the interview. Never lead the candidate. Questions like, “Well you didn’t have any problems with your last manager, did you?” does not allow the possibility of an honest answer. Instead go with this, “In your last position did your manager give you a lot of freedom or was she more of a micro manager? How did you like working under those conditions?”

3.     Consider where you need this individual to be one year down the line. While not every IT professional will have the charisma of the best salesperson at your company, you don’t necessarily need him/her to. You do need someone, though, that can work with your team. Additionally, if you are looking to groom someone into a supervisory role, consider if this individual’s interpersonal skills will lead to success or failure.

When hiring an IT professional, technical skills will always be the main focus. Through proper interview preparation one can take steps to identify these types of skills in a candidate. Never leave the interview without determining if the candidate has the interpersonal skills needed for the position. Ask your questions, and let the interviewee do the majority of the talking to ascertain if this candidate will succeed in your firm.

Download the ITAMG Inventory Template to Receive Highest Returns on Surplus IT Equipment

An IT Manager takes on a diverse role that encompasses technical challenges, analyzing information, staffing, conflict resolution, strategic planning, developing budgets, and even data center management. Both the technical and management components require your attention. It is crucial to both your success and the success of your team that you balance these responsibilities.

Our managers at ITAMG have provided 5 tips to help you succeed:

#1: Time Management

Do this: Make the most of every minute. You have two hats to wear – technical and management. To achieve success you must make a daily plan. Written or electronic, it doesn’t matter. Record all of your responsibilities and schedule them in time blocks. Be diligent and stick to this schedule whenever possible. According to this article in US News & World Report, “set specific time limits for routine tasks. Work tends to fill whatever amount of time you happen to have.” When emergencies occur, handle them, and then get back on schedule.

Don’t do this: Go into the day without a plan. Without a plan seemingly “secondary activities” such as getting input from employees, giving feedback, providing training will go by the wayside when inevitable technical issues arise.

#2: Build Relationships

Do this: In an an article on Monster.com Richard Hagberg, the president of the Hagberg Consulting Group, a company that develops training programs for the high tech industry is quoted, “First, carefully define your role. Then audit your time so you're spending time on building relationships and improving communication with everyone around you. Schedule appointments with subordinates and listen to their ideas. Initiate group problem-solving, particularly on real issues, rather than trying to solve everything yourself. Deal with substandard performance by coaching and holding people accountable." To build a strong, loyal force it is imperative to have an open line of communication.

Don’t do this: Have a closed door policy. When possible include employees when making decisions. Let them share their ideas to create a mutually respectful relationship.

#3: Keep Your Skills Sharp

Do this: You are likely a manager because you have exceptional technical skills. Continue to stay on the cutting-edge through research and training. Demonstrate those skills, jump in when complex problems are at hand. Respect is gained in this manner. Education for you and your team is critical to everyone’s success.

Don’t do this: Let your technical skills wane. Consider the importance of the respect of your technical subordinates and your ability to lead by example.

#4: Delegate

Do this: One of the keys to successful delegation is to know each team member’s strengths. You cannot successfully do everything yourself. Your company is best served when your expertise is devoted to finding solutions to critical issues and delegating accordingly.

Don’t do this: Do everything yourself. You and your team will suffer. The members in your group will see this as a lack of confidence in their abilities.

#5: Roll Up Your Sleeves

Do this: When matters arise that require multiple resources from your team, jump in when you can. Maybe next time your firm is getting ready for a computer disposal help the team take an inventory of the surplus computer equipment. Roll up your sleeves whenever possible and you will gain immeasurable respect form your team.

Don’t do this: Sit back and let your team do all the work. Make sure to always be a part of the solution. There’s no substitute for a boss that understands what it’s like to still be in the trenches.

By devoting the proper amount of time to each task, keeping your skills sharp, and demonstrating your willingness to be a part of the team, you will gain the respect and loyalty of your team. Master these 5 areas and you will soar as an IT Manager.

Looking for More Info On Best Practices for EOL Equipment?