Evaluating Data Destruction and Data Protection Compliance

Posted by Frank Milia

Aug 1, 2019 9:25:20 AM

As a NAID Certified Secure Destruction Specialist my goal is to offer information security and compliance professionals objective advice backed by experience, industry best practices and a keen knowledge of the applicable regulatory requirements. 

When working with organizations of all sizes one of my consistent challenges is getting various stakeholders to openly and honestly evaluate their data destruction and disposition program to identify blind spots and allow me the opportunity to identify areas for improvement and risk mitigation. 

Risk Assessment. Business Concept on Blurred Background. Office Folder with Inscription Risk Assessment on Working Desktop. Risk Assessment - Concept. 3D.

Below are some of my questions to open up a conversation with folks who are willing to perform a self-evaluation and begin the process of assessing their data disposition practice.

 

  1. Do we have a contract in place with our current downstream data disposition providers?
    a. Does this contract include breach notification requirements?
    b. Does this contract include definitions of data protection service levels and data destruction deliverables?
  2. Do we use multiple downstream data disposition providers (example: e-Waste goes to a recycler but media goes to a document destruction company)?
    a. If so, how do we control what vendor is liable if a breach occurs? 
  3. Have we formally vetted our downstream data disposition providers?
    a. Have we evaluated and vetted third party certification(s) that our provider holds?
    b. Have we documented our vendor’s policies, procedures, downstream charts, and third party certificates?
    c. Are we annually checking in on updates from vendor for policies, procedures, downstream charts and third party certificates?
  4. Do we have written policies and procedures for our data protection program?

a. If we perform data destruction internally are the processes formally documented including confirmation of results?
b. Do we have an assigned person in charge of compliance?
c. Do we have formal training for employees and documentation of such training?
d. Do we have employee acknowledgement in writing for acceptance of data security responsibilities?

I urge everyone to ask these questions and evaluate the answers that come back.  

Once these answers are provided, we can provide suggestions to ensure better security or regulatory compliance.  If the answers all seem satisfactory, there is always an opportunity to dig deeper to find where other improvements can be made and to make sure the organization is documenting the program's success effectively.

Data security and data protection compliance is a moving target.  Evaluation and audit of your data disposition program should be on a regular schedule, including at minimum an annual review of any of your contractors or internal operators.

 

more

Topics: IT Asset Disposal, data security, data destruction, IT Best Practices, Information Security

Add NIST 800-88 to Your DoD Data Destruction Playbook

Posted by Frank Milia

Oct 9, 2017 3:00:25 PM

It’s time your IT asset disposal program manager ditches a murky understanding of DoD data destruction(Department of Defense 5220.22-M) by adding a clearer understanding of the NIST 800-88 (National Institute of Standards and Technology 800-88 Guidelines for Media Sanitization).

IMG_6602_1024.jpg


The DoD data destruction standard does not provide the adequate specifics an organization or business will require in order to run a secure program in a real world operation. The DoD does provide broad guidelines that should be adhered to by any organization maintaining or disposing of sensitive data.

The NIST 800-88 Guidelines, however, provides a detailed roadmap for creating a data destruction program built on the principles of identifying risk, life cycle stage of media, selecting and implementing appropriate methods of destruction, verifying and overseeing success, and documenting procedures and work performed.

“We perform DoD data destruction” has been a mantra of the ITAD (IT asset disposal) industry for well over a decade. But when one pushes for more specifics from a vendor or program manager one is likely to find inconsistent interpretations of the standard from a belief that it exclusively refers to three pass binary wiping, seven pass binary wiping, to a misconception that only physical shredding and pulverization of media can achieve data security.

In reality the DoD data destruction method does have recommended standards for two step erasure of drives using a clear and binary pass overwriting. It also includes basic standards for the removal of physical identifiers, chain of custody documentation, and physical destruction of optical media. The DoD standard does not recommend any specific tools, software, machinery, or provide any types of certifications to vendors or products.

The NIST 800-88 provides a clear manual that guides IT professionals to select the appropriate tool by the life cycle, risk level, and type of media. For example the document points out that a degausser should never be used for solid state media. Since SSD media is not magnetic media the degausser would not destroy the data on the chip sets. This type of granular knowledge is a must have for every IT asset manager.

Here at ITAMG we help our clients understand the NIST 800-88 model and how to develop custom programs that address unique business, industry, and regulatory compliance requirements.  

For more information on appropriate methods and documentation of data destruction practices please review our short guide to NIST 800-88.

Download 5 Data Destruction Tips

 

more

Topics: IT Asset Disposal, data destruction, NIST 800-88, eWaste Disposal, Risk Management, hard drive disposal, dod data destruction

Hard Drive Disposal Options

Posted by Frank Milia

Jun 2, 2017 12:38:46 PM

Proper handling of end of life computer equipment and electronic media is critical to avoiding costly data breaches and debilitating exposures to your business and client data.  Your options for hard drive disposal should not be limited by archaic security policies, vendor capabilities, or lack of in-house expertise or access to industry leading tools.    

The below is a quick guide to the common tools and methods utilized by sophisticated IT asset disposal providers and IT departments alike. 

harddrivedisposal.jpg

Binary wiping and secure erasure:

Many times referred to as Department of Defense (DoD) three pass erasure, secure erasure writes multiple passes of binary code over a drive’s data to eliminate the path to the data.  The term DoD erasure is an asset disposal industry and IT shorthand and it should be noted that no software or erasure method is specifically endorsed by the DoD.  The method is a commonly accepted software tool for destroying data on magnetic and solid state media.

Having a contracted erasure service or in-house capability to securely erase machines is ideal to reuse machines in your environment, sell machines to a computer liquidator at optimum value, and ship or relocate machines that are not encrypted. 

Enterprise erasure tools should include reporting and verification utilities that allow organizations to save detailed certificates of destruction to the NIST 800-88 standards as well as identify drives that do not wipe to one hundred percent satisfaction.  When drives fail to wipe securely the user can quarantine and use another physical destruction method. 

DoD erasure is a method approved in the NIST 800-88 Guidelines for Media Sanitization in certain situations, but is not recommended for media that has higher risks associated to an exposure or contains top secret data. 

Hard Drive Shredding and Media Pulverization

Hard drive pulverizing or media shredding are terms commonly used for the industrial shredding of electronic media.  Although the equipment can be expensive for many business to own and maintain, many organizations utilize the method with the help of various asset disposal or document shredding service providers.  This method is ideal for quickly and cost effectively destroying large quantities of hard drives, optical media, flash drives, and other electronic storage. 

Hard drive shredding can be performed off-site at a vendor’s facility or on-site utilizing specialty shredding equipment typically deployed by the tier one IT asset disposal providers like IT Asset Management Group. 

Hard Drive Punching

Smaller machinery like hard drive punchers are ideal for eliminating the risk of shipping live and accessible data by first punching the drives before shipping or relocating the drives for the final shredding and recycling process.  Punchers are utilized where the large footprint of a shredder would not be possible or cost effective.  This method is ideal for small quantities of drives and is typically not cost or time effective for the destruction of large quantities of media.

Much like hard drive shredders there are hundreds of different kinds of hard drive punchers and some are not as effective for solid state drives or other types of media.  It is important to research and understand what a specific machine or service provider is able to do on a case by case basis. 

Degaussing Hard Drives

Degaussing hard drives is another solution ideal for smaller projects where an industrial hard drive shredder may not be available in the geographical area or economically appropriate for the project.  Degaussers use powerful magnets to destroy data on hard drives and other media but does not work for solid state hard drives or flash media.

Degausser machines are no longer the prevalent tool that they once were due to the superior output of shredders and more effective verification methods of enterprise erasure software utilities.  Nonetheless, the tool remains active due to security policies that have been written and not updated or where other tools prove to be near impossible to deploy.

For more information on appropriate methods and documentation of data destruction practices please review our short guide to NIST 800-88.

Download 5 Data Destruction Tips

 

more

Topics: IT Asset Disposal, data destruction, eWaste Disposal, Risk Management, hard drive disposal

The 4 Knows of IT Asset Disposition

Posted by Charles Veprek

Apr 25, 2017 11:14:22 AM

The best place to start is the beginning of course, regardless if this is your first IT Asset Disposal (ITAD) project or your hundredth. An investment in knowledge pays the best interest and knowing the “Four Knows” can help return that interest for your surplus IT equipment.


1. Know what you need
     a. Does your company have:
          i. A data destruction policy or security requirement?
          ii. A no reuse policy?
          iii. Any specific reporting requirements?


Knowing your company’s requirements for ITAD projects will ensure all quotes are based within a given framework.

Knowledge.jpg


2. Know what you have
     a. Do you have:
          i. An accurate equipment inventory?
          ii. An understanding if the equipment is still functional?
          iii. All the peripherals for the devices?


Knowing the project inventory will ensure that project quotes and project timelines are accurate.


3. Know who you work with
     a. Have you:
          i. Researched R2 recyclers and eSteward vendors?
          ii. Performed vendor due diligence?
          iii. Asked for a referral?


Knowing your vendor’s policies and procedures will reduce exposure risk and improve vendor selection.


4. Know your projects potential
a. Have you:
          i. Received multiple quotes?
          ii. Inquired about donation possibilities?
          iii. Asked your vendor to work with your VAR?


Knowing the value of the equipment will ensure you don’t get rid of it for free when you should be getting capital back.

An investment in knowledge pays the best interest and knowing the “Four Knows” can help return that interest on your redundant IT equipment.

 

Looking for a tool to get the most value back on your company's IT disposals?

Download the ITAMG Inventory Template Today:

Tips & Inventory Template

more

Topics: IT Asset Disposal, data destruction, eWaste Disposal, Risk Management

Hard Drive Shredding New York Style

Posted by Frank Milia

Jan 13, 2015 8:55:00 AM

ITAMG regularly provides IT disposal and data destruction services to our clients with offices and data centers in New York City. Recently we have had a lot of new clients ask us how it’s even possible for us to provide onsite hard drive shredding services in the chaotic New York environment. This post provides a quick explanation of how we manage obstacles and securely destroy electronic media in one of America’s most bustling cities.

Hard Drive Shredding NY

Parking in New York City can be a nightmare. The industrial shredding equipment used to shred hard drives weighs thousands of pounds and is mounted on a large box truck (similar to paper shredding trucks you may be more familiar with). Most loading docks in New York City are extremely busy and located indoors, so idling and shredding drives at a dock is not an option due to congestion as well as health and safety concerns.

In order to get the work done curbside our crew will first scan and capture the serial numbers of the drives and then place the media into a locked container while still inside the client’s space. They then transport the locked containers, which are on wheels, down to the mobile shredding truck.

When there are no available parking spaces in the area we may be required to park several blocks from the client’s location. Although the client may be forced to get some unexpected exercise by taking a walk to the truck, he or she is able to follow the media at all times, and no media is left unattended.

To combat parking restrictions we always staff at least three crew members in New York City. All hard drive shredding projects in New York are staffed with a driver and a minimum of two technicians. With this strategy the truck can remain in a standing zone nearby while the other two crew members audit and prepare the drives for destruction.

When the technicians are done processing and auditing the drives the truck is called in to collect the container and the drives are destroyed at the nearest possible location. This staffing practice accounts for a potential emergency or required break and allows for a crew member to always remain available to guard the media prior to its destruction.   

Everything, especially time, in New York is expensive. In order to reduce service costs our shredding trucks are also equipped to collect electronic waste and surplus computer equipment that is being liquidated.  In addition to the shredded media remains there is space to remove upwards of three hundred desktops at a single service.

We are able to reduce shipping and logistics costs for projects that require both on-site media destruction and IT asset disposal services by performing both services at the same time.      

ITAMG has been working in New York City with our own crews since 1999. If you are already a New York hard drive shredding client please reach out to your account manager and let us know how we are doing.      

 

Interested in Data Destruction Best Practices?  Download our quick guide to NIST 800-88 Guidelines for Media Sanitzation below.

5 Data Destruction Tips

more

Topics: data security, data destruction, hard drive shredding, data sanitization, Hard Drive Shredding NY

   

ITAD Guidance

Stay informed on important IT asset management topics.

Our posts focus on IT management, data security, and computer hardware from the unique perspective of IT asset disposal experts.

Subscribe and you will stay on top of:

  • IT procurement trends and analysis
  • Data security methods and best practices
  • Compliance tools and updates

Subscribe to Email Updates

R2-2013_Logo.png

Recent Posts

Visit our Main Site at: www.itamg.com