Maintaining Rational Policies in the Face of Failure

Posted by Frank Milia

May 29, 2019 2:48:09 PM

When we fail in life, especially at our security, we tend to overreact and make quick and sweeping changes.  If you leave your door open and your home is burglarized, moving out of your neighborhood or installing a state of the art security system may be an irrational response compared to locking your doors from now on. When implementing changes, it is important to address the specific cause of the failure and not let fear of reoccurrence cloud the way you make improvements.         

When organizations uncover regulatory data protection non-compliance or suffer the consequences of an outright data breach, many times they struggle to implement corrective actions that address the root cause of the issue or otherwise implement new policies that can adversely affect the business and fail to focus on addressing the deficiency head on.   Security, IT, and compliance stakeholders need to stay focused on resolving the cause of an issue and not be distracted by fear or be rushed into implementing hastily designed corrective actions.  

Policies - Red Ring Binder on Office Desktop with Office Supplies and Modern Laptop. Business Concept on Blurred Background. Toned Illustration.

To illustrate this point I will provide a common scenario I have witnessed from clients that I provide data disposition and regulatory compliance consulting as well as IT asset disposition and data destruction services to.       

Scenario:

A large financial institution has internal policies and procedures to perform erasure of hard drives prior to performing lease returns and disposal of retired assets.  The firm is notified that a shipment back to a vendor contained drives that were not wiped. The drives were encrypted so at the time of this event there were no regulations in the USA that would consider this event a breach requiring disclosure.  However, the company’s internal policies and procedures were not followed therefore an investigation and corrective action was required by internal stakeholders. 

The company identified the risk was from allowing erasure and reuse of the hard drives and implemented a new policy and procedure that all hard drives would now have to be physically destroyed before disposal or lease return.  Although one could argue that this approach makes sense considering the high cost and risk of a data breach, it is actually a flawed response that does not address the root cause of the non-conformity (an employee’s actions failed to adhere to company policy). 

When I analyze and investigate events like this, common root causes tend to include:

  1. Technician(s) failed to erase and document erasure as designed and provided in existing management system
  2. Management system failed to assign accountability of such events
  3. Technician(s) not properly trained or no documented training sessions found
  4. Routine audit of applicable work not practiced
  5. Process for erasure and equipment returns failed to have redundancies, spot checks, and/or verification steps to ensure compliance
  6. Inadequate managerial oversight or approval system in place for data destruction and return management
  7. Detailed processes and work flow procedures poorly documented or none in writing found

The client’s response to require on-site destruction of all media does not address any of the issues noted above.  The firm can change the method, destruction tool, and policy but without addressing the core deficiencies in the management system, procedures, training, and redundancies the threat of a non-conformity or event that leads to a data breach remains. 

Not only has the firm made a policy change that will cost millions of dollars in lost revenue from resale and increased lease return fees but they have also done little to reduce the risk stemming from the lack of accountability and the imperfect system that lead to a technician shipping a device with live data still residing on the hard drive.   This same flawed system left unchanged, other than method of destruction, will likely lead to a technician again shipping a device with a hard drive (not wiped or physically shredded).   

Security is too often judged as a consensus of feelings. Many times even the most sophisticated organizations and experienced practitioners will make irrational policies based on how a policy makes them feel.  In this case although the financial firm’s policy to destroy the drives does not address the root-cause, it does make them feel more secure now that all drives will be destroyed.  Organizations incorrectly choose abrupt and elementary policy changes rather than more complicated procedural updates that require greater oversight and investment but will more effectively address deficiencies.          

As security professionals we need to analyze the logical and empirical security deficiencies, prescribe solutions based on the root causes, assign accountability and test and evaluate our systems and programs all the while taking care to prove the value of such investment to the business’s stakeholders.  When changing policies in the face of failure, it is important to remove fear from the equation and focus on addressing the problem with a clear mindset. 

more

Topics: education & tips, IT Best Practices, IT Management, Risk Management, Information Security

5 Tips for Computer Disposal and Data Destruction

Posted by Frank Milia

Aug 17, 2015 10:42:00 AM

At ITAMG we have been advising our clients on the big picture best practices for IT asset management, computer recycling, and secure data erasure. The following are five specific tips to help you make the most of your IT asset disposal program.

Recycle_Logo_Finish

1)     Communicate your needs.  We can help with refresh strategy, relocations, and more. As an IT asset management and disposal vendor we bring a unique perspective and skill set to advising on refresh projects, office and data center moves, and general procurement strategies.

 

Do:

Keep your asset disposal vendor in the loop on any major projects that effect your business operations and IT planning. We are familiar with a wide array of challenges that large organizations face during various projects and are happy to help your firm conquer them all.

Don’t:

Don’t wait to the final hour of a large project to enlist the help of your disposal vendor. The more lead time given to prepare statements of work, an action plan, quote costs and returns, and plan logistics the more likely a project will conclude successfully and within budget.

 

2)     Reset or clear any BIOS and Admin Passwords from laptops in order to assist with data erasure and re-imaging of machines for refurbishment and sale.

 

Do:

Create a depository of admin passwords by model or other machine attributes to share with your computer recycling vendor. At minimum keep a master list of all Admin Passwords. If your firm can’t share Admin Passwords make sure to set to a default password before disposing of the machine.

Don’t:

Do not allow IT or other employees to create and use admin passwords that are not standardized or otherwise recorded for future reference. Don't expect full value for Apple equipment, laptops, or similar devices if admin passwords are not available or can not be reset prior to disposal. 

 

3)     Instruct users to remove returned Apple devices from their iCloud accounts. iCloud is used to track lost or stolen assets and unless a device is removed from a registered account your company or disposal vendor may not be able to legally reuse valuable and desirable assets.

 

Do:

Notify users across your organization that are using personal iCloud accounts on company assets to remove his or her device from the account when turning the asset back in. Create a depository for tracking iCloud user names and passwords for company generated iCloud accounts so devices can be removed from users profiles and sold or otherwise reused.

Don’t:

Don’t allow users to use personal iCloud accounts on company owned assets. Put a policy and process in place for users to use company provided iCloud profiles for company owned Apple devices. Managing the devices this way will allow your firm to control the devices on the user’s account and ensure the assets are reusable or eligible for liquidation returns at retirement.

 

4)     Manage end of life data security appropriately.  Lock up unencrypted media that are threats of exposure until data destruction is performed.

 

Do:

When pulling machines out of the working environment make sure all data containing devices or locked in rooms, cages, or containers that can only be accessible by employees with appropriate security clearance. Label and utilize locked containers to store any loose end of life media.

Don’t:

Don’t store assets or media in conference rooms, hallways, or open office spaces where the general public, building employees, or any other employees or visitors may be able to access them. Do not leave loose media or hard drives sitting in data centers, storage closets, or any other office space.

 

5)     Handle equipment with care during physical consolidation and internal relocation. Liquidation returns on equipment are contingent on the working and cosmetic conditions of surplus computer equipment.

 

Do:

Ask us about the safest way to move all different types of equipment. Moving equipment throughout an office using carts or commercial moving bins is probably your best option. Treat the equipment with the same level of care used during implementation when removing the equipment from the environment.  We are happy to provide tips on how to pack and move equipment efficiently and safely.  

Don’t:

Don’t grab or apply pressure to LCD screens, scratch screens by letting equipment rub together, excessively stack laptops, damage rail kits or face plates on servers, or cut power cords from UPS, power, or any other equipment.   Avoid packaging or dismantling equipment without clear direction from an ITAMG professional. Do not allow a commercial moving vendor to abuse retired equipment simply because it is categorized as excess, waste, retired, salvage or other.

 

Looking for more tips on getting the best value back on your company's responsible computer disposal practices?

Download the ITAMG Inventory Template Today:

Tips & Inventory Template

 

more

Topics: IT Asset Disposal, Computer Liquidation, IT Management, Electronic Waste Management

5 Attributes of a Successful IT Asset Disposition Program

Posted by Frank Milia

Aug 25, 2014 2:29:00 PM


Government agencies, corporations, and various institutions are taking measures to improve IT asset management and disposition practices in order to mitigate risk of a data breach, achieve environmental initiatives, and ensure optimal financial performance. The following are some key pieces to building a secure and efficient IT disposal program.  

Apple_Equipment_Liquidation


 

1. Implement and utilize an asset management and inventory system

An asset management program’s success will be driven by the inventory tools and processes in place to track assets from cradle to grave, or in other words from the time of an asset’s implementation until the asset is recycled or liquidated. The inventory management system should be utilized to document when an asset is disposed of, its final destination (vendor and asset status), and what administrator or manager signed off on the disposition.

Having robust asset management data that includes model numbers, serial numbers, and other attributes and specifications of equipment also allows an organization to bid out an asset disposal contract more effectively and for more competitive returns.    

2.Track and maintain documentation of disposition and data destruction of assets

Asset management disposition data should be reconciled with the data provided by a firm’s disposal vendor. These inventory reports, settlements, and certifications of destruction and proper handling should be maintained in accessible formats.

The most sophisticated asset disposal programs utilize integration with a disposal vendor’s asset management software in order to confirm and document the disposition of an asset.  In the case of a full integration an asset management team can mark an item as shipped or disposed of and track the receiving, processing, sale, or recycling of the asset.

3. Sign a formal agreement with an IT asset disposition vendor or managed service provider

Take the steps to put an agreement in place with an IT asset disposal provider that documents your firm’s due diligence, understanding, and expectations of the vendor and performance milestones of the disposition program.

A standard Master Service Agreement (MSA) should include the following:

  • Data security and privacy policies (including process for disclosure of potential exposures)
  • Commitment to environmental recycling controls and compliant waste management

  • Insurance coverage

  • Overview of service levels, process, financial obligations, reporting and billing standards

4. Develop a data destruction process driven by NIST 800-88 Guidelines for Media Sanitization

If you’re unfamiliar with NIST 800-88 you can learn more from this introduction blog entry.

Developing a data destruction program to the best practices outlined by NIST 800-88 will ensure end of life data security as well as develop a process to maintain audit ready documents that are necessary to validate a firm’s data privacy compliance.

A program following the NIST 800-88 method will identify risk, categorize media, select effective eradication methods, set quality assurances, record and certify destruction of assets, and place responsibility of the program’s success on senior managers.    

Every organization should be considering the risk of a data breach caused by improper data sanitization and set eradication methods and disposal processes according to data privacy laws and industry specific regulations (e.g. HIPAA for health and human services).

5. Create an accounting mechanism to keep liquidation returns in the IT budget

IT asset managers and acting directors are tasked to quantify value to executive management and IT operations. Efficient liquidation of assets can yield significant returns, and these financial recoveries should not go unnoticed.

IT asset managers should develop accounting mechanisms to track returns from the disposal program as well as to keep the funds in the IT budget. This can be achieved by using a credit system for future product purchases or services instead of receiving direct payments from a disposal vendor. The disposal provider can provide goods and services directly or partner with an OEM or VAR to do so.  



Learn More About IT Asset Disposal Best Practices:

5 Data Destruction Tips



 

more

Topics: IT Asset Disposal, IT Management, data sanitization, NIST 800-88

5 Lessons CIOs Can Learn from Star Trek: The Next Generation

Posted by Frank Milia

May 12, 2014 10:22:00 PM

Avid Star Trek fans and casual viewers alike probably agree that the show’s success is thanks to the moral and philosophical narratives that overshadow the fun science fiction, campy action, and special effects of the series.

IT Asset DispositionThe above image is from NASA.GOV. ITAMG is not affiliated with NASA and our use of this image does not imply NASA approves of this content or in any way endorses or utilizes our IT asset disposal services.  

Recently I began to notice there were many managerial lessons to take away from the crew of the Starship Enterprise. In tough leadership dilemmas I even find myself asking the question- what would Captain Picard do? That is other than ordering up a tea, Earl Grey, hot. I’m more of a coffee drinker.

The following are 5 Tips from the TNG leadership that could improve any CIO or executive management team.  

1. Hire a “Chief of Security”, like Worf, and prioritize the security of your network, data, and fixed assets from attack by insiders, competitors, and criminals. In a recent PwC study “The Global State of Information Security Survey 2014” 18% of the companies surveyed felt their greatest obstacle to improving information security was due to a lack of experience and leadership from a CISO / CSO. Take a lesson from Picard and put an experienced security professional in charge of developing and implementing your security strategies. Worf always put security measures ahead of any other goal and you need a dedicated resource to do the same for your firm.

2. He may not be a beloved character but there is a lesson to be learned from the accelerated promotion of young Ensign Wesley Crusher. There is no place in or outside of the workplace for age, racial, gender, or any other type of discrimination. It is important to invest in all available talent through continuing education as well as to promote inside staff whenever possible. Furthermore young energy and fresh perspective can create an exciting and creative approach to problem solving. There are also programs like All Star Code that can help your organization cultivate new technology candidates in communities that are currently under represented in the field. Well before attending the Academy Wesley Crusher proved himself as an unrivaled problem solver and a key member of the Enterprise’s success.  

3. Follow the “Prime Directive” and do not abuse or over extend the power of your technological advancement. The culture of an information technology department should be one that champions service, availability, security, and innovation with the goal of supporting the key mission of the organization. Technology should provide for and enable users and never be utilized to inappropriately collect information, or interfere with the organization’s core operations. The best IT departments will provide service to users with a soft hand and a light presence. A CIO should disseminate a mission statement that matters- give your team a cultural identity and code of operation, and then make sure they live it.

4. During difficult times make sure as a leader you take a tour with the “away team”. An effective leader takes the time to report to the trenches in order to obtain a direct understanding of the challenges the team faces. In the most critical situations Captain Picard or First Officer William Ryker would step into action to ensure success.  Getting on the front line of issues now and then will command respect from your employees and make sure you are analyzing problems with a real world perspective.  

5. Boldly go where no CIO has gone before. Technology is now the foundation for the success of almost every business or institution. In order for a CIO to be successful he or she needs to be a master of the mundane (think email and help desk) as well as the intellect behind innovation (think analysis of big data, transition to outsourcing and cloud services, and development of core business processes). More often than ever CIOs are being considered for CEO positions as organizations look to the CIO to lead the company's overall direction and drive profitability through efficiency and lean processes. In any leadership role it is important to be free to experiment, change the course, and head into the unknown.           

 

Are you concerned about data destruction and running a media disposal program consistent with best practices (NIST 800-88)?

 

Download 5 Data Destruction Tips

more

Topics: IT Asset Disposal, Management Tips, IT Management, Information Security

Project Management is Key to Safe IT Asset Disposition

Posted by Frank Milia

Nov 12, 2013 2:23:00 PM

Project management is a critical component in any IT project yet end of life disposal process is often lacking the proper amount of attention. Proper IT disposal planning will minimize data security risks and cleanly close out the life cycle of computer equipment with the creation of key asset management records.

Throwing together an IT disposal plan at the last minute or making it the afterthought to a refresh plan will put your firm at a higher risk of a data breach as well as vulnerable to poor evaluations or audits of your general IT practices.

 

IMG_0959According to Project Insight there are 5 Basic Phases of Project Management:

  1. Project conception and initiation
  2. Project definition and planning
  3. Project launch or execution
  4. Project performance and control
  5. Project close

 

Let’s briefly look into utilizing these 5 phases to accomplish the goal of safely and securing completing an IT disposal project.

Planning facility relocations, equipment upgrades, or the regular need for IT disposal will define the project conception and initiation piece. The conception phase is the ideal time to contact an IT asset disposition firm to qualify vendors and define the parameters of future services through a Master Service Agreement. At this stage it is not necessary to select vendors but to instead make sure the services are budgeted for and qualified service providers and tools have been identified and vetted.

It is important to take appropriate efforts to perform due diligence and gain an understanding of a disposal vendor’s insurance, data security policies, and environmental standards. This type of due diligence is difficult to perform at the end of an equipment upgrade where physical space, time, and human resources are limited.  

In the defining and planning stage thoughtful preparation must be invoked. Typical action items for a disposal project will include taking physical inventory, vendor selection, backing up critical data, physical relocation and consolidation of surplus equipment, and coordinating logistics for the equipment collection.

The project launch and execution involves informing staff of their responsibilities. Included in this are milestones expected, end dates, and any required reporting along the way. Each employee must be clear on tasks, deadlines, and requirements to other departments such as asset reporting to finance, adhering to security requirements set by info security and upper management, or meeting site access restrictions and insurance requirements for facilities.

Closing a disposition project will be defined by physical removal of the equipment from the site followed up with asset reporting, certification, and confirmation and reconciliation of the serialized data.

Project performance and control is all about flexibility. Adherence to schedules is ideal, but not always possible. When necessary adjust schedules and keep staff and vendors informed of any changes.

IT asset disposition is a regular result from various technology implementations and is worthy of serious consideration by project managers. With the proper management of surplus computer equipment disposal a firm will avoid data breaches and environmental liabilities as well as create a depository for managing an organization’s fixed assets.

 

Looking for More Info On Best Practices for EOL Equipment?

 

Download 5 Data Destruction Tips

 

 

more

Topics: IT End of Life Strategy, education & tips, Computer Liquidation, IT Management

   

ITAD Guidance

Stay informed on important IT asset management topics.

Our posts focus on IT management, data security, and computer hardware from the unique perspective of IT asset disposal experts.

Subscribe and you will stay on top of:

  • IT procurement trends and analysis
  • Data security methods and best practices
  • Compliance tools and updates

Subscribe to Email Updates

R2-2013_Logo.png

Recent Posts

Visit our Main Site at: www.itamg.com