It seems that you can hardly turn on the news or open an Internet site these days without hearing about another data breach from a well-known company. This is a problem that is here to stay. No matter how secure a company tries to be, there are hackers out there whose sole purpose is to prove they can steal your data and maybe sell it for a profit. And, of course, there are the breaches that happen because employees open phishing e-mails, don’t follow password policies and recommendations, and who lose laptops and USB drives. Regardless of the reason behind a data breach, your company could be looking at monetary losses directly related to the breach, bad press, fines, loss of stock value, and the weakening of customer confidence toward your company.
One area where you can truly minimize the risk of a data breach is asset retirement and end-of-life for any asset that has a hard drive. You should construct a reliable data destruction policy with auditable procedures. Doing so will protect your business and the sensitive data associated with it. For companies that must comply with HIPAA or PCI, end-of-life data destruction procedures will be reviewed as a part of your audits.
Step #1: Identify Scenarios for a Breach
The first thing you need to do is figure out the scenarios where a breach might occur. For example, loss of items containing sensitive data such as phones and laptops is a common source of a data breach. An often overlooked source of a breach is the disposal of retired IT equipment. These assets often get shipped around within the organization and are handled by several different people before actually being turned over to an ITAD vendor for recycling or remarking. This is why a proper data destruction policy and asset retirement procedure is essential.
Step #2: Choose a Data Destruction Process
When used equipment is to be recycled or resold, the data contained on each unit must be effectively destroyed or made unrecoverable. One option is to physically destroy the drive or other media via crushing or shredding, but this doesn’t allow you to reuse the hard drive or the equipment itself if it has an embedded flash drive. If reuse is your goal, then you must wipe the drives of all data. This is a much more cost-effective choice for assets that have remarket value. It is not cost-effective if the drive or the asset has no potential for reuse. Whichever data destruction process you choose, be sure it meets the NIST 800-88 standard. If you are doing physical destruction, the NSA also has recommendations and approved equipment lists.
Step #3: Check for NAID AAA Certification
The National Association for Information Destruction (NAID) provides certification to vendors who have passed a rigorous auditing process. A business receiving AAA certification from NAID has proven that its facilities, employees and data destruction processes meet the highest standards in the industry. By partnering with a vendor that has received this certification, you can be assured that your data destruction process will be thorough, effective, and auditable.
Constructing a reliable end-of-life data destruction policy should be a part of every company’s security strategy. It’s also imperative that the policy is implemented via processes that can be documented and followed by your internal team and your partners. As in all other aspects of security, people are key. This is why your business must provide information, training and tools so that your team can follow the process consistently and avoid “accidental” data breaches.
Lifespan partners with companies to help you develop policies and procedures for end-of-life asset retirement. We help you communicate and execute those procedures. Download Lifespan’s ITAD Self-Assessment Guide & Get a Complementary GAP Analysis
