Maintaining Rational Policies in the Face of Failure

Posted by Frank Milia

May 29, 2019 2:48:09 PM

When we fail in life, especially at our security, we tend to overreact and make quick and sweeping changes.  If you leave your door open and your home is burglarized, moving out of your neighborhood or installing a state of the art security system may be an irrational response compared to locking your doors from now on. When implementing changes, it is important to address the specific cause of the failure and not let fear of reoccurrence cloud the way you make improvements.         

When organizations uncover regulatory data protection non-compliance or suffer the consequences of an outright data breach, many times they struggle to implement corrective actions that address the root cause of the issue or otherwise implement new policies that can adversely affect the business and fail to focus on addressing the deficiency head on.   Security, IT, and compliance stakeholders need to stay focused on resolving the cause of an issue and not be distracted by fear or be rushed into implementing hastily designed corrective actions.  

Policies - Red Ring Binder on Office Desktop with Office Supplies and Modern Laptop. Business Concept on Blurred Background. Toned Illustration.

To illustrate this point I will provide a common scenario I have witnessed from clients that I provide data disposition and regulatory compliance consulting as well as IT asset disposition and data destruction services to.       

Scenario:

A large financial institution has internal policies and procedures to perform erasure of hard drives prior to performing lease returns and disposal of retired assets.  The firm is notified that a shipment back to a vendor contained drives that were not wiped. The drives were encrypted so at the time of this event there were no regulations in the USA that would consider this event a breach requiring disclosure.  However, the company’s internal policies and procedures were not followed therefore an investigation and corrective action was required by internal stakeholders. 

The company identified the risk was from allowing erasure and reuse of the hard drives and implemented a new policy and procedure that all hard drives would now have to be physically destroyed before disposal or lease return.  Although one could argue that this approach makes sense considering the high cost and risk of a data breach, it is actually a flawed response that does not address the root cause of the non-conformity (an employee’s actions failed to adhere to company policy). 

When I analyze and investigate events like this, common root causes tend to include:

  1. Technician(s) failed to erase and document erasure as designed and provided in existing management system
  2. Management system failed to assign accountability of such events
  3. Technician(s) not properly trained or no documented training sessions found
  4. Routine audit of applicable work not practiced
  5. Process for erasure and equipment returns failed to have redundancies, spot checks, and/or verification steps to ensure compliance
  6. Inadequate managerial oversight or approval system in place for data destruction and return management
  7. Detailed processes and work flow procedures poorly documented or none in writing found

The client’s response to require on-site destruction of all media does not address any of the issues noted above.  The firm can change the method, destruction tool, and policy but without addressing the core deficiencies in the management system, procedures, training, and redundancies the threat of a non-conformity or event that leads to a data breach remains. 

Not only has the firm made a policy change that will cost millions of dollars in lost revenue from resale and increased lease return fees but they have also done little to reduce the risk stemming from the lack of accountability and the imperfect system that lead to a technician shipping a device with live data still residing on the hard drive.   This same flawed system left unchanged, other than method of destruction, will likely lead to a technician again shipping a device with a hard drive (not wiped or physically shredded).   

Security is too often judged as a consensus of feelings. Many times even the most sophisticated organizations and experienced practitioners will make irrational policies based on how a policy makes them feel.  In this case although the financial firm’s policy to destroy the drives does not address the root-cause, it does make them feel more secure now that all drives will be destroyed.  Organizations incorrectly choose abrupt and elementary policy changes rather than more complicated procedural updates that require greater oversight and investment but will more effectively address deficiencies.          

As security professionals we need to analyze the logical and empirical security deficiencies, prescribe solutions based on the root causes, assign accountability and test and evaluate our systems and programs all the while taking care to prove the value of such investment to the business’s stakeholders.  When changing policies in the face of failure, it is important to remove fear from the equation and focus on addressing the problem with a clear mindset. 

more

Topics: education & tips, IT Best Practices, IT Management, Risk Management, Information Security

Networking Device Erasure and Data Destruction

Posted by Frank Milia

Sep 26, 2014 8:30:00 AM

Storage devices and electronic media are not the only devices that require erasure and data destruction service levels in order to eliminate risks of causing a breach from an equipment disposition. Networking devices, routers, and switches hold sensitive information that in the wrong hands can be used to find entry to or otherwise compromise a network’s security.

The good news is that the major manufacturers have built in acceptable erasure methods into various networking devices and the process is easy to navigate.

At IT Asset Management Group we utilize the best methods of clearing a device depending on the manufacturer’s instructions and tools available. If a device cannot be reset to factory default, configuration cleared, NVRAM erased, VLAN cleared or any other information fails to erase with 100% certainty the device is quarantined and then physically destroyed.

The exact method of erasing networking devices will be specific to the manufacturer and model of the hardware but the following is broad overview of the process.Networking_DevicesMethods for Networking Device Erasure 

  1. Switches - Clear all configuration files including startup and running configuration files. Erase the NVRAM file system and removal of all files. Reload the switch to factory default. Clear all VLAN information created on switch. Confirm device has been cleared.
  2. Routers - Reset password and device to factory default.   Using Register Configuration write erase and set device back to factory default. Confirm device has been cleared.  

A sample of the type of manufacturer provided instructions used by ITAMG can be found below.

Common Switch: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2900-xl-series-switches/24328-156.html

Common Router: http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-123-mainline/46509-factory-default.html

Networking Device Destruction

Any device that cannot be reset and confirmed to no longer contain any user created configurations or data should be physically dismantled, shredded, and recycled for commodity material in accordance with all local, state, and federal laws. ITAMG’s data destruction services are developed in accordance with the DoD 5220.22-M standards and NIST 800-88 Guidelines for Media Sanitization.

Looking for more information on running a secure data destruction program? 

Download 5 Data Destruction Tips

more

Topics: data security, data destruction, data breach, education & tips, data sanitization

SSD Secure Erasing Methods and OEM Instructions for Data Destruction

Posted by Frank Milia

Nov 21, 2013 7:45:00 AM

When purchasing and utilizing solid state drives (SSD) end-of-life management should be seriously considered.  Data sanitization prior to disposition or re-deployment for a SSD differs from a traditional hard disk drive (HDD). SSDs store, write, and re-write data differently than spinning hard disk drives, and require a more stringent approach to achieve secure data erasure.

In a PC Magazine article SSD vs. HDD: What's the Difference? more in depth details are SSD_Guygiven for the differences between spinning HDD and the interconnected flash memory chip data storage technology of the SDD.

A software solution that is typically used to over-write data on HDDs, even with multiple passes, may not be a proper data destruction solution for SSD.  Some common software erasure tools may not consistently access all storage areas on the SSD, and as a result blocks of data can be left behind after binary wiping solutions are utilized.

The various manufacturers of SSDs offer their own solutions for SSD erasure. These built in processes are important to understand before purchasing SSD as they will need to be performed on each drive at time of disposition or reuse.  All secure SSD erasure procedures should be followed up with manual confirmation of success and regular random quality assurance from upper management, as well as physical destruction procedure where failure to wipe or security policy otherwise dictates.

Deguassing solid state drives is not a secure option as SSDs do not use magnetic storage.  

 

It is advisable to have a good understanding on the process of each secure erase instructions from the various OEM utilities:    

 

Seagate: http://www.seagate.com/files/www-content/product-content/_cross-product/en-us/docs/how-to-ise-your-drive-tp-644-1-1211-us.pdf

 

Kingston:  http://www.kingston.com/us/community/articledetail?ArticleId=10 

 

Samsung SSD Magician Manual (Secure Erase): http://www.xander.com.hk/product/product_manual/prod_manual_500.pdf

 

Intel: http://www.intel.com/support/ssdc/hpssd/sb/CS-034294.htm

 

Corsair: http://www.corsair.com/applicationnote/secure-erase

 

Crucial: http://forum.crucial.com/t5/Solid-State-Drives-SSD-Knowledge/SSDs-and-Secure-Erase/ta-p/112580

 

Feel free to post other instructions for major SSD manufacturers and ITAMG will continue to update this list.

 

Download ITAMG's Free Guide: 5 Best Practices for Data Destruction

 

5 Data Destruction Tips

 

more

Topics: data destruction, education & tips, hard drive shredding, IT Asset Disposition

Three Tips for Hiring an IT Professional

Posted by Ellen Clarke

Nov 19, 2013 10:00:00 AM

Hiring an IT professional can be tricky. While technical skills are the focus, considerations must be given to other attributes and experiences. The interview is the time to ask the targeted questions yielding critical information needed to make an informed decision.

Our hiring managers at ITAMG, an IT asset disposition and data destruction firm, have put together three important tips when hiring an IT professional.

1.     Have your interview questions prepared. A starting point can be found in Careerbuilder's Top Interview Questions. Your questions must be thoughtfully prepared to cover a variety of subjects. While asking about relevant experience is critical, other questions about interpersonal skills must be covered, such as, “how do you handle conflict, and provide an example of how you handled a difficult situation at your last job.

2.     Provide an atmosphere where the candidate feels free to open up. Greet the candidate with a firm handshake and a smile. Make small talk at the beginning of the interview. Never lead the candidate. Questions like, “Well you didn’t have any problems with your last manager, did you?” does not allow the possibility of an honest answer. Instead go with this, “In your last position did your manager give you a lot of freedom or was she more of a micro manager? How did you like working under those conditions?”

3.     Consider where you need this individual to be one year down the line. While not every IT professional will have the charisma of the best salesperson at your company, you don’t necessarily need him/her to. You do need someone, though, that can work with your team. Additionally, if you are looking to groom someone into a supervisory role, consider if this individual’s interpersonal skills will lead to success or failure.

IMG_1108

 

When hiring an IT professional, technical skills will always be the main focus. Through proper interview preparation one can take steps to identify these types of skills in a candidate. Never leave the interview without determining if the candidate has the interpersonal skills needed for the position. Ask your questions, and let the interviewee do the majority of the talking to ascertain if this candidate will succeed in your firm.

 

 

Download the ITAMG Inventory Template to Receive Highest Returns on Surplus IT Equipment

 

Tips & Inventory Template

 

more

Topics: ITAD, education & tips, Management Tips, IT Best Practices

Project Management is Key to Safe IT Asset Disposition

Posted by Frank Milia

Nov 12, 2013 2:23:00 PM

Project management is a critical component in any IT project yet end of life disposal process is often lacking the proper amount of attention. Proper IT disposal planning will minimize data security risks and cleanly close out the life cycle of computer equipment with the creation of key asset management records.

Throwing together an IT disposal plan at the last minute or making it the afterthought to a refresh plan will put your firm at a higher risk of a data breach as well as vulnerable to poor evaluations or audits of your general IT practices.

 

IMG_0959According to Project Insight there are 5 Basic Phases of Project Management:

  1. Project conception and initiation
  2. Project definition and planning
  3. Project launch or execution
  4. Project performance and control
  5. Project close

 

Let’s briefly look into utilizing these 5 phases to accomplish the goal of safely and securing completing an IT disposal project.

Planning facility relocations, equipment upgrades, or the regular need for IT disposal will define the project conception and initiation piece. The conception phase is the ideal time to contact an IT asset disposition firm to qualify vendors and define the parameters of future services through a Master Service Agreement. At this stage it is not necessary to select vendors but to instead make sure the services are budgeted for and qualified service providers and tools have been identified and vetted.

It is important to take appropriate efforts to perform due diligence and gain an understanding of a disposal vendor’s insurance, data security policies, and environmental standards. This type of due diligence is difficult to perform at the end of an equipment upgrade where physical space, time, and human resources are limited.  

In the defining and planning stage thoughtful preparation must be invoked. Typical action items for a disposal project will include taking physical inventory, vendor selection, backing up critical data, physical relocation and consolidation of surplus equipment, and coordinating logistics for the equipment collection.

The project launch and execution involves informing staff of their responsibilities. Included in this are milestones expected, end dates, and any required reporting along the way. Each employee must be clear on tasks, deadlines, and requirements to other departments such as asset reporting to finance, adhering to security requirements set by info security and upper management, or meeting site access restrictions and insurance requirements for facilities.

Closing a disposition project will be defined by physical removal of the equipment from the site followed up with asset reporting, certification, and confirmation and reconciliation of the serialized data.

Project performance and control is all about flexibility. Adherence to schedules is ideal, but not always possible. When necessary adjust schedules and keep staff and vendors informed of any changes.

IT asset disposition is a regular result from various technology implementations and is worthy of serious consideration by project managers. With the proper management of surplus computer equipment disposal a firm will avoid data breaches and environmental liabilities as well as create a depository for managing an organization’s fixed assets.

 

Looking for More Info On Best Practices for EOL Equipment?

 

Download 5 Data Destruction Tips

 

 

more

Topics: IT End of Life Strategy, education & tips, Computer Liquidation, IT Management

   

ITAD Guidance

Stay informed on important IT asset management topics.

Our posts focus on IT management, data security, and computer hardware from the unique perspective of IT asset disposal experts.

Subscribe and you will stay on top of:

  • IT procurement trends and analysis
  • Data security methods and best practices
  • Compliance tools and updates

Subscribe to Email Updates

R2-2013_Logo.png

Recent Posts

Visit our Main Site at: www.itamg.com