With the current trend towards moving data and services into the cloud, what happens to the old infrastructure that once housed this data? Even with your own personal data set-up, how do you minimise or eliminate the risk that once you have disposed of your equipment, its content has already been securely erased, destroyed or made non-recoverable?
Most of us would start off by using encryption as a standard for media where important data is being stored, to prevent possible unauthorised access in the future. But is that the answer? And what about pre-existing assets that may not have already had this applied or to which it cannot be applied?
According to P Roychowdhury et al, “When data is converted to digital format it becomes vulnerable to being accessed by unauthorized persons through different techniques that have been developed over the years to recover deleted data, decrypt encrypted data, and other techniques.”1
Today’s workforces are using more and more personal devices and, along with that, more and more data is being generated and stored in a variety of formats. Computers, phones, all-in-one devices, storage arrays and even DVDs, CDs and back-up tapes (or drives). As a result, we need to start planning and thinking ahead about an IT asset’s lifecycle and its secure disposal.
While data security is one of highest priorities for companies (and really should be for all of us), little thought is often given to technology assets (e-waste) at the end of their life. How can you be sure that potential data theft does not happen once you have disposed of an IT asset?
This question should form part of your overall IT data security policy, with an IT asset disposition (aka ITAD) strategy that is secure… and, also, green. You would want to ensure complete visibility of all assets at all time during their lifecycle and ensure that their disposal is not just secure, but also environmentally friendly, ie, not going directly to landfill or incinerated.
What is important to understand is there is no ‘one size fits all’ when it comes to disposal of IT assets and the level of security provided.
There is a lot to consider. Should you destroy your data onsite? Should you employ the services of an ITAD provider? There are several companies that specialise in secure data destruction, using methods that vary in the level of security. There are single- or multiple-pass wipes that enable drives to be re-used and maybe return a residual; degaussing that renders the drive unusable; and physical shredding, which is the most expensive option but is also the most secure.
Some guidelines are provided by the Office of the Australian Information Commissioner, which, while maybe focused mainly towards personal information storage and destruction, can be applied to a lot of cases where data is classified as highly sensitive or alike:
- Is hardware containing personal information in electronic form properly ‘sanitised’ to completely remove the stored personal information?
- Have steps been taken to verify the irretrievable destruction of personal data stored by a third party on a third party’s hardware, such as cloud storage? Where the third party has been instructed by the organisation to irretrievably destroy the personal information, have steps been taken to verify that this has occurred?
- Are backups of personal information also destroyed? Are backups arranged in such a way that destruction of backups is possible? If not, have steps been taken to rectify this issue in the future, and has the backed-up personal information been put beyond use?
- How is compliance with data destruction procedures monitored and enforced?
So have a look at what your or your organisation currently does for IT asset disposal and what policies and procedures they follow (or don’t). It may be worth having that discussion with your CIO or management about possible breaches of data security when IT assets have reached their end of life, and how to best minimise this risk by implementing some of the aforementioned strategies.
Some further guidance and information on various risk management frameworks and practices can be found in:
- ISO 27005:2018, Information technology – Security techniques – Information security risk management, at https://www.iso.org/standard/75281.html
- International Electrotechnical Commission 31010:2009, Risk management – Risk assessment techniques, at https://www.iso.org/standard/51073.html
- NIST SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, at https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
1. Pg. 862, Roychowdhury P., Alghazo J.M., Debnath B., Chatterjee S., Ouda O.K.M. (2019) Security Threat Analysis and Prevention Techniques in Electronic Waste. In: Ghosh S. (eds) Waste Management and Resource Efficiency. Springer, Singapore