Why Information Must Be Destroyed, Part Two
Ben Rothke looks at how to destroy digitally stored information. Includes pros and cons of in-house and outsourced data destruction.
By Ben Rothke, CISSP, PCI QSA
May 05, 2009 — CSO —
In the first installment of Why Information Must Be Destroyed I discussed how not discarding worthless hard copy documents, even though they appear to have no value is a security risk. While this is true for physical hard copies, it is even more relevant for digitally stored data.
This installment deals with the process of destroying hard drives and other digital media. This is commonly known as disk sanitization or data purging. Unfortunately, far too few organizations realized the need for the issue, and therefore few have formalized processes around data purging.
What needs to be destroyed?
The Unified Compliance Framework (UCF) media destruction recommendations include handling guidance for the destruction of 48 different media types including compact flash drives, electronically erasable PROM (EEPROM), magnetic tape and more. The UCF also identifies the appropriate data elimination practice for each type of data storage asset including the use of secure erase, chemically clean, ultraviolet erase, and shredding.
Ultimately, any device capable of storing data that has reached the end of its usable life must be addressed by a policy that effectively mandates the elimination of any trace of legacy data. Essentially, any storage medium; including optical media, backup media, cassettes, VHS tapes, floppy disks, X-rays, microfiche, microfilm, intelligent mobile devices (BlackBerry, smartphone, etc.), ID cards, and credit cards; that contains any confidential or personal information should be addressed in policies regarding access, retention, handling and destruction. [See also The Seven Deadly Sins of Record Retention.]
For example, a smartphone, be it a BlackBerry or iPhone, presents a significant risk to data loss protection efforts if adequate disposal procedures are not applied. Smartphones often contain a poorly protected image of the user's complete inbox, contact information and other confidential information present on their workstation. Yet, despite security measures to protect workstations and organizational messaging systems, smartphones often are neglected.
Given the relatively short lifespan of these assets (smartphones are replaced on average of every 18-24 months) and that many organizations do not have the available resources to handle the data elimination process, there is a high probability that your organization is warehousing a significant inventory of used units. The risk of data exposure due to the loss or theft of a just a single device can initiate the need to issue a mandatory disclosure of lost data. Hence, every organization must seriously consider the risks posed by the warehousing data storage devices.
Used Equipment—The Afterlife
Once hardware reaches the end of its operational life to an organization, it is often returned off-lease, donated or resold. Used equipment with hard dives or other media should not be released from the organization's control unless data has been eliminated from the equipment, and data destruction has been verified. A zero tolerance policy against the selling of used media that cannot be effectively sanitized should be established.