IT Asset Disposal and Data Destruction Program Management

Posted by Frank Milia

Dec 10, 2014 9:50:00 AM

Since 1999 our primary business at IT Asset Management Group has been focused on developing and implementing the process, controls, and oversights necessary to run a compliant, secure, and economically viable IT asset disposition program.  We are now drawing upon our unique experience and capabilities to provide consulting, program management, and project management services for data destruction, environmental, asset management, and return management initiatives. 

Laptop Liquidation Program

ITAMG’s disposition programs are designed to bridge the gap and achieve the goals of various stakeholders including Finance, IT, Facilities, and Procurement departments.   

A broad approach to an asset disposal program is as follows:

  • Develop and furnish the initial operational, financial and technical assessments relating to an asset disposition program.
  • Recommend alternative operational processes and organizational solutions.
  • Provide budgetary cost and income estimates for the alternative approaches
  • Develop a Statement of Work for the program or project.
  • Assist with evaluation, selection and contracting, including the execution of Service Level Agreements.
  • Provide implementation and acceptance testing project management.
  • Include on-going program support as defined by client. Including delivery management, SLA monitoring and documentation of the financial returns.
  • Ensure Quality Control and Risk Management.

 

ITAMG’s asset disposal program management services are best suited for the Fortune 500, large government agencies, IT value added resellers, and other institutions with a significant IT hardware portfolio that requires the liquidation of at least one million dollars of surplus IT equipment in a single fiscal year. 

However, we do engage smaller mid-market clients to consult on and improve IT asset disposal and data destruction practices as well as to provide our direct IT asset recovery and hard drive shredding services.    

 

Request a Program Management Consultation

more

Topics: IT End of Life Strategy, data destruction, Computer Liquidation, NIST 800-88, IT Asset Disposal NY

Networking Device Erasure and Data Destruction

Posted by Frank Milia

Sep 26, 2014 8:30:00 AM

Storage devices and electronic media are not the only devices that require erasure and data destruction service levels in order to eliminate risks of causing a breach from an equipment disposition. Networking devices, routers, and switches hold sensitive information that in the wrong hands can be used to find entry to or otherwise compromise a network’s security.

The good news is that the major manufacturers have built in acceptable erasure methods into various networking devices and the process is easy to navigate.

At IT Asset Management Group we utilize the best methods of clearing a device depending on the manufacturer’s instructions and tools available. If a device cannot be reset to factory default, configuration cleared, NVRAM erased, VLAN cleared or any other information fails to erase with 100% certainty the device is quarantined and then physically destroyed.

The exact method of erasing networking devices will be specific to the manufacturer and model of the hardware but the following is broad overview of the process.Networking_DevicesMethods for Networking Device Erasure 

  1. Switches - Clear all configuration files including startup and running configuration files. Erase the NVRAM file system and removal of all files. Reload the switch to factory default. Clear all VLAN information created on switch. Confirm device has been cleared.
  2. Routers - Reset password and device to factory default.   Using Register Configuration write erase and set device back to factory default. Confirm device has been cleared.  

A sample of the type of manufacturer provided instructions used by ITAMG can be found below.

Common Switch: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2900-xl-series-switches/24328-156.html

Common Router: http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-123-mainline/46509-factory-default.html

Networking Device Destruction

Any device that cannot be reset and confirmed to no longer contain any user created configurations or data should be physically dismantled, shredded, and recycled for commodity material in accordance with all local, state, and federal laws. ITAMG’s data destruction services are developed in accordance with the DoD 5220.22-M standards and NIST 800-88 Guidelines for Media Sanitization.

Looking for more information on running a secure data destruction program? 

Download 5 Data Destruction Tips

more

Topics: data security, data destruction, data breach, education & tips, data sanitization

Intro to NIST 800-88: Data Destruction Best Practices

Posted by Frank Milia

Dec 5, 2013 8:24:00 PM

Attackers are targeting easier to access confidential information housed on company hard drives that are improperly disposed of.  One must have data destruction policies and procedures in place to ensure a data breach doesn’t occur. In the Guidelines for Media Sanitization (NIST Special Publication 800-88 Rev 1) best practices from the National Institute of Standards and Technology are clearly provided.

In this document three forms of compliant sanitization are defined: clear, purge, and destroy.

 

  • Clear: Overwriting storage space with non-sensitive data is one way to sanitize media. This method is not effective for media that is damaged or not rewriteable. The media type and size may also influence whether overwriting is a suitable sanitization method [SP 800-36].
  • Purge: Acceptable forms of purging include degaussing and executing the firmware Secure Erase command (for ATA drives only).  In degaussing a magnetic field is used to sanitize media. Degaussing is effective when working with damaged media, purging media with exceptionally large storage capacities, or for purging diskettes [SP 800-36].
  • Destroy:  Sanitization methods used to completely destroy media include Disintegration, Pulverization, Melting, and Incineration.  Destruction methods are typically outsourced to an organization capable of performing these tasks safely and effectively.  Pulverization is commonly referred to as Hard Drive Shredding in the IT asset disposal industry.  

 The NIST 800-88 document provides the below Media Sanitization Decision Matrix containing media-specific lists regarding the options of clear, purge, and destroy.  

Capture

 

Media that contains proprietary, confidential material, or is otherwise deemed to be a high risk must be given priority and the strictest controls and destruction methods should be employed.

 

Learn More And Download the 5 Most Important Tips from NIST 800-88

 

Download 5 Data Destruction Tips

 

ITAMG handles media sanitization in accordance with the National Institute of Standards & Technology (NIST) Special Publication Series 800-88. We can work with you to implement the most appropriate methods of disposal for your media and establish your secure and audit ready data destruction programs.

more

Topics: IT Asset Disposal, data security, data destruction, data sanitization, NIST 800-88

SSD Secure Erasing Methods and OEM Instructions for Data Destruction

Posted by Frank Milia

Nov 21, 2013 7:45:00 AM

When purchasing and utilizing solid state drives (SSD) end-of-life management should be seriously considered.  Data sanitization prior to disposition or re-deployment for a SSD differs from a traditional hard disk drive (HDD). SSDs store, write, and re-write data differently than spinning hard disk drives, and require a more stringent approach to achieve secure data erasure.

In a PC Magazine article SSD vs. HDD: What's the Difference? more in depth details are SSD_Guygiven for the differences between spinning HDD and the interconnected flash memory chip data storage technology of the SDD.

A software solution that is typically used to over-write data on HDDs, even with multiple passes, may not be a proper data destruction solution for SSD.  Some common software erasure tools may not consistently access all storage areas on the SSD, and as a result blocks of data can be left behind after binary wiping solutions are utilized.

The various manufacturers of SSDs offer their own solutions for SSD erasure. These built in processes are important to understand before purchasing SSD as they will need to be performed on each drive at time of disposition or reuse.  All secure SSD erasure procedures should be followed up with manual confirmation of success and regular random quality assurance from upper management, as well as physical destruction procedure where failure to wipe or security policy otherwise dictates.

Deguassing solid state drives is not a secure option as SSDs do not use magnetic storage.  

 

It is advisable to have a good understanding on the process of each secure erase instructions from the various OEM utilities:    

 

Seagate: http://www.seagate.com/files/www-content/product-content/_cross-product/en-us/docs/how-to-ise-your-drive-tp-644-1-1211-us.pdf

 

Kingston:  http://www.kingston.com/us/community/articledetail?ArticleId=10 

 

Samsung SSD Magician Manual (Secure Erase): http://www.xander.com.hk/product/product_manual/prod_manual_500.pdf

 

Intel: http://www.intel.com/support/ssdc/hpssd/sb/CS-034294.htm

 

Corsair: http://www.corsair.com/applicationnote/secure-erase

 

Crucial: http://forum.crucial.com/t5/Solid-State-Drives-SSD-Knowledge/SSDs-and-Secure-Erase/ta-p/112580

 

Feel free to post other instructions for major SSD manufacturers and ITAMG will continue to update this list.

 

Download ITAMG's Free Guide: 5 Best Practices for Data Destruction

 

5 Data Destruction Tips

 

more

Topics: data destruction, education & tips, hard drive shredding, IT Asset Disposition

One CIO's Trash, Is The Same CIO's Liability

Posted by Steve Bossert

Nov 11, 2013 12:07:00 PM

What happens when end use computing, mobile devices and data center infrastructure reach the end of its useful life in the enterprise environment?  It turns into a major business liability.

13737975_xl_electronic_wasteEach week, vast amounts of hardware is discarded by corporations large and small as they replace or upgrade to newer computing hardware.  Some companies believe that they are doing the right thing during the decommissioning process by focusing on following ecologically sound recycling practices. This often includes "deleting" information or "wiping" VoIP or mobile phones to round out the end of life process.

 

However, once these steps have been undertaken, few firms ever take the trouble to independently audit what is left on those drives or trace where they ultimately go in their long journey after they leave. Unfortunately pressing “delete” is seldom enough.

Robert Plant, who is an associate professor at the University of Miami says:

"Security is only as strong as the weakest link. Law enforcement, the security services and industrial spies who dumpster dive (or, more accurately, bid on containers of e-waste) have the tools and the capabilities to retrieve your deleted data from sources such as cache memory and discarded routers. In addition, they can piece together data from multiple sources."

The professor goes on to cite an example that could happen at any financial services firm that does not properly vette its chosen IT asset disposal, computer recycling or data destruction partner.

Anyone who has "C" as part of the professionally assigned title, should not only pay close attention to what is spent when acquiring new IT equipment or even a new full size printer or copier, but also on future costs involved in decomissioning that asset. Environmental, data security and corporate liability are all to be equally thought about. You can not afford not to.

Perhaps for many firms it is time to start reassessing their corporate-information disposal processes. They need to stop thinking of this as a disposal problem for facilities to handle and realign this under the correct risk-management authority it truly deserves. One good place to start is to look into the costs of on-site data destruction and hard drive shredding.

On a per HDD basis, it may be the best business decision that can be made for less than the cost of a soup and half a sandwhich combo at your favorite NYC deli, pickle and sides not included.

Looking for More Info On Best Practices for EOL Equipment?


Download 5 Data Destruction Tips

 

more

Topics: IT Asset Disposal, IT End of Life Strategy, data destruction, hard drive shredding

   

ITAD Guidance

Stay informed on important IT asset management topics.

Our posts focus on IT management, data security, and computer hardware from the unique perspective of IT asset disposal experts.

Subscribe and you will stay on top of:

  • IT procurement trends and analysis
  • Data security methods and best practices
  • Compliance tools and updates

Subscribe to Email Updates

R2-2013_Logo.png

Recent Posts

Visit our Main Site at: www.itamg.com