David Spark (@dspark), producer of CISO Series, guest co-host Shawn Bowen, CISO, Restaurant Brands International (RBI), and sponsored guest, Frank Milia, partner, IT Asset Management Group recently did a deep dive into data destruction on the Defense in Depth podcast: Data Destruction.   

The conversation was thought provoking, but we really just scratched the surface over a twenty five minute discussion.  Check it out below and feel free to connect with us to further the conversation.  

You can listen to the podcast here:https://cisoseries.com/defense-in-depth-data-destruction/

-or-

on your favorite app like Spotify or Apple Podcasts  

Poorly managed IT asset disposal, lack of due diligence, and a disposal program without clearly defined responsible parties has now resulted in millions of dollars in regulatory penalties.  Is it clear who is responsible for the performance of your data disposition practice?   IT Asset Management Group’s free program guide includes tips for establishing stakeholders at your organization and expectations for all practitioners.      

Download the program guide today at itamg.com/CISO

As a NAID Certified Secure Destruction Specialist my goal is to offer information security and compliance professionals objective advice backed by experience, industry best practices and a keen knowledge of the applicable regulatory requirements. 

When working with organizations of all sizes one of my consistent challenges is getting various stakeholders to openly and honestly evaluate their data destruction and disposition program to identify blind spots and allow me the opportunity to identify areas for improvement and risk mitigation. 

Below are some of my questions to open up a conversation with folks who are willing to perform a self-evaluation and begin the process of assessing their data disposition practice.

1. Do we have a contract in place with our current downstream data disposition providers?
   a. Does this contract include breach notification requirements?
   b. Does this contract include definitions of data protection service levels and data destruction deliverables?
2. Do we use multiple downstream data disposition providers (example: e-Waste goes to a recycler but media goes to a document destruction company)?
   a. If so, how do we control what vendor is liable if a breach occurs? 
3. Have we formally vetted our downstream data disposition providers?
   a. Have we evaluated and vetted third party certification(s) that our provider holds?
   b. Have we documented our vendor’s policies, procedures, downstream charts, and third party certificates?
   c. Are we annually checking in on updates from vendor for policies, procedures, downstream charts and third party certificates?
4. Do we have written policies and procedures for our data protection program?

a. If we perform data destruction internally are the processes formally documented including confirmation of results?
b. Do we have an assigned person in charge of compliance?
c. Do we have formal training for employees and documentation of such training?
d. Do we have employee acknowledgement in writing for acceptance of data security responsibilities?

I urge everyone to ask these questions and evaluate the answers that come back.  

Once these answers are provided, we can provide suggestions to ensure better security or regulatory compliance.  If the answers all seem satisfactory, there is always an opportunity to dig deeper to find where other improvements can be made and to make sure the organization is documenting the program's success effectively.

Data security and data protection compliance is a moving target.  Evaluation and audit of your data disposition program should be on a regular schedule, including at minimum an annual review of any of your contractors or internal operators.

When we fail in life, especially at our security, we tend to overreact and make quick and sweeping changes.  If you leave your door open and your home is burglarized, moving out of your neighborhood or installing a state of the art security system may be an irrational response compared to locking your doors from now on. When implementing changes, it is important to address the specific cause of the failure and not let fear of reoccurrence cloud the way you make improvements.         

When organizations uncover regulatory data protection non-compliance or suffer the consequences of an outright data breach, many times they struggle to implement corrective actions that address the root cause of the issue or otherwise implement new policies that can adversely affect the business and fail to focus on addressing the deficiency head on.   Security, IT, and compliance stakeholders need to stay focused on resolving the cause of an issue and not be distracted by fear or be rushed into implementing hastily designed corrective actions.  

To illustrate this point I will provide a common scenario I have witnessed from clients that I provide data disposition and regulatory compliance consulting as well as IT asset disposition and data destruction services to.       

Scenario:

A large financial institution has internal policies and procedures to perform erasure of hard drives prior to performing lease returns and disposal of retired assets.  The firm is notified that a shipment back to a vendor contained drives that were not wiped. The drives were encrypted so at the time of this event there were no regulations in the USA that would consider this event a breach requiring disclosure.  However, the company’s internal policies and procedures were not followed therefore an investigation and corrective action was required by internal stakeholders. 

The company identified the risk was from allowing erasure and reuse of the hard drives and implemented a new policy and procedure that all hard drives would now have to be physically destroyed before disposal or lease return.  Although one could argue that this approach makes sense considering the high cost and risk of a data breach, it is actually a flawed response that does not address the root cause of the non-conformity (an employee’s actions failed to adhere to company policy). 

When I analyze and investigate events like this, common root causes tend to include:

1. Technician(s) failed to erase and document erasure as designed and provided in existing management system
2. Management system failed to assign accountability of such events
3. Technician(s) not properly trained or no documented training sessions found
4. Routine audit of applicable work not practiced
5. Process for erasure and equipment returns failed to have redundancies, spot checks, and/or verification steps to ensure compliance
6. Inadequate managerial oversight or approval system in place for data destruction and return management
7. Detailed processes and work flow procedures poorly documented or none in writing found

The client’s response to require on-site destruction of all media does not address any of the issues noted above.  The firm can change the method, destruction tool, and policy but without addressing the core deficiencies in the management system, procedures, training, and redundancies the threat of a non-conformity or event that leads to a data breach remains. 

Not only has the firm made a policy change that will cost millions of dollars in lost revenue from resale and increased lease return fees but they have also done little to reduce the risk stemming from the lack of accountability and the imperfect system that lead to a technician shipping a device with live data still residing on the hard drive.   This same flawed system left unchanged, other than method of destruction, will likely lead to a technician again shipping a device with a hard drive (not wiped or physically shredded).   

Security is too often judged as a consensus of feelings. Many times even the most sophisticated organizations and experienced practitioners will make irrational policies based on how a policy makes them feel.  In this case although the financial firm’s policy to destroy the drives does not address the root-cause, it does make them feel more secure now that all drives will be destroyed.  Organizations incorrectly choose abrupt and elementary policy changes rather than more complicated procedural updates that require greater oversight and investment but will more effectively address deficiencies.          

As security professionals we need to analyze the logical and empirical security deficiencies, prescribe solutions based on the root causes, assign accountability and test and evaluate our systems and programs all the while taking care to prove the value of such investment to the business’s stakeholders.  When changing policies in the face of failure, it is important to remove fear from the equation and focus on addressing the problem with a clear mindset. 

Avid Star Trek fans and casual viewers alike probably agree that the show’s success is thanks to the moral and philosophical narratives that overshadow the fun science fiction, campy action, and special effects of the series.

The above image is from NASA.GOV. ITAMG is not affiliated with NASA and our use of this image does not imply NASA approves of this content or in any way endorses or utilizes our IT asset disposal services.  

Recently I began to notice there were many managerial lessons to take away from the crew of the Starship Enterprise. In tough leadership dilemmas I even find myself asking the question- what would Captain Picard do? That is other than ordering up a tea, Earl Grey, hot. I’m more of a coffee drinker.

The following are 5 Tips from the TNG leadership that could improve any CIO or executive management team.  

1. Hire a “Chief of Security”, like Worf, and prioritize the security of your network, data, and fixed assets from attack by insiders, competitors, and criminals. In a recent PwC study “The Global State of Information Security Survey 2014” 18% of the companies surveyed felt their greatest obstacle to improving information security was due to a lack of experience and leadership from a CISO / CSO. Take a lesson from Picard and put an experienced security professional in charge of developing and implementing your security strategies. Worf always put security measures ahead of any other goal and you need a dedicated resource to do the same for your firm.

2. He may not be a beloved character but there is a lesson to be learned from the accelerated promotion of young Ensign Wesley Crusher. There is no place in or outside of the workplace for age, racial, gender, or any other type of discrimination. It is important to invest in all available talent through continuing education as well as to promote inside staff whenever possible. Furthermore young energy and fresh perspective can create an exciting and creative approach to problem solving. There are also programs like All Star Code that can help your organization cultivate new technology candidates in communities that are currently under represented in the field. Well before attending the Academy Wesley Crusher proved himself as an unrivaled problem solver and a key member of the Enterprise’s success.  

3. Follow the “Prime Directive” and do not abuse or over extend the power of your technological advancement. The culture of an information technology department should be one that champions service, availability, security, and innovation with the goal of supporting the key mission of the organization. Technology should provide for and enable users and never be utilized to inappropriately collect information, or interfere with the organization’s core operations. The best IT departments will provide service to users with a soft hand and a light presence. A CIO should disseminate a mission statement that matters- give your team a cultural identity and code of operation, and then make sure they live it.

4. During difficult times make sure as a leader you take a tour with the “away team”. An effective leader takes the time to report to the trenches in order to obtain a direct understanding of the challenges the team faces. In the most critical situations Captain Picard or First Officer William Ryker would step into action to ensure success.  Getting on the front line of issues now and then will command respect from your employees and make sure you are analyzing problems with a real world perspective.  

5. Boldly go where no CIO has gone before. Technology is now the foundation for the success of almost every business or institution. In order for a CIO to be successful he or she needs to be a master of the mundane (think email and help desk) as well as the intellect behind innovation (think analysis of big data, transition to outsourcing and cloud services, and development of core business processes). More often than ever CIOs are being considered for CEO positions as organizations look to the CIO to lead the company's overall direction and drive profitability through efficiency and lean processes. In any leadership role it is important to be free to experiment, change the course, and head into the unknown.           

Are you concerned about data destruction and running a media disposal program consistent with best practices (NIST 800-88)?