Confidential customer and business data is pervasive throughout your organization. This data often exists in places that are not obvious. If your organization is like many that lack formal IT asset disposal policies, chances are there may be old computer hardware out there with your companies name on it -- as well as its financial reports, customer lists, payroll data and every other secret imaginable. This potential violation of Privacy presents a risk to your business when computer equipment is upgraded and disposed of, or when the trash is taken out to the dumpster.

Risk

Confidential data is stored in a number of places within most businesses. These include the obvious computer file server disk drives, but also include individual drives on computer workstations. Copies of files, spread sheets, and reports are often saved by users to their local “C” drives, or worse yet, to removable media such as diskettes or USB drives.
Often, confidential data is transmitted within an organization as an email attachment. This confidential attachment is now saved on the organizations email sever, and most likely saved on the local drive of everyone that received the email.
Data can be stored in places that are not often obvious. These include printers, copiers, and fax machines, including “all-in-one” devices. Many of these peripheral devices contain disk drives, as data buffers, that are used to store information for processing later. That is why you can send a 300 page report to the printer in seconds, but it takes 20 minutes to print. This data is written to the drive and then printed later at the speed that the printer can accommodate.
In addition to electronic copies of confidential data that have proliferated throughout your organization, there is also the issue of handling paper. Printers, copiers and fax machines generate multiple copies of paper data from a single data source. Confidential paper records usually have a defined useful life. Yesterday’s financial report is not of much value next week and is thrown away. Depending upon your archived records retention standards, reports from 7 years ago may be able to be disposed of today. Paper records containing confidential information must be shredded and certified as destroyed. Many organizations use contacted services for this process, as they will certify the destruction and also recycle the paper.
Confidential data in the wrong hands can be used to commit identity theft, fraud, blackmail, and corporate espionage. It can also trigger lawsuits and fines for breaking state and federal laws aimed at protecting consumer and employee data, including the Fair Credit Transaction Act, Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA).
It was HIPAA that spurred Kaiser Permanente (KP), an Oakland, California based health insurance provider, to institute formal procedures for handling the tens of thousands of IT assets that it disposes of each year. KP uses a contract IT disposal and resale vendor to collect and sanitize old equipment. At the end of the process, it they give KP a list of the equipment with serial numbers and proof of data erasure.

Data Destruction

When doing a computer upgrade, some may be tempted to toss old hard drives in the trash, sell them for scrap, or sell them on eBay.
A study conducted by the Massachusetts Institute of Technology students on 158 disk drives bought from auction sites, PC retailers, and salvage companies, found that 74% contained recoverable data, including company financials, credit card numbers, medical records and sensitive emails.
One problem is that employees are often not properly trained in data destruction techniques. In one example of this, data from a Chicago Bank’s ATM machine made it out into the world. A single reformat of a hard drive is not sufficient to make the data on that drive unrecoverable.
Data must be “Wiped” from the drive using a defined process of three to seven re-wrights or the drive itself must be physically destroyed. Degaussing, using a magnetic field, destroys the data but may also fry the electronic components of the drive, and is not suitable if you do plan to resell these drives.
If you use a contract vendor for this process, check who is actually doing the work. There have been some vendors that have partnered with prison systems to dismantle computer systems. This, of course, would allow a convicted felon to have access to your data.

Wiping Data

Performing a wipe is a time-consuming process and exacerbated by the fact that relative to their capacity modern hard drives are slow. Most wipe tools quickly reach the disk’s physical limits because of limits in the Central Processing Unit, memory, and other computer drive components.
The more re-writes that are performed the more time it takes and the higher the cost. The average cost of wiping the hard drive on a PC is between $17 and $22 per PC.
If you need to guarantee that your data is wiped, then a wipe done to the U.S. Department of Defense’s DoD 5220.22-M (8-306./E) standard will over-wipe all addressable hard drive locations with a character, its complement and a random character followed by verification. This process is completed three times and prevents data from being recovered by any commercially available processes. The military standard uses the same procedure but implements seven cycles of this process.
In 2004 the U.S. National Security Agency (NSA Advisory LAA-006-2004) found that a single overwrite using the DoD 5220.22-M compliant software is sufficient to render electronic files unrecoverable for routine business purposes.
Software disk-wiping can not sanitize any drive that is physically disconnected from a computer, or any hard drive that has physically failed. You should consider destroying these drives by degaussing, melting, incineration, crushing, or shredding.
This should be a common business practice anytime that you dispose of equipment with a hard drive that may contain data.

How Assurity River Group Can Help

Assurity River Group can work with you to develop policies, standards and procedures to protect your confidential data.
Assurity River Group can perform a comprehensive organizational Information Security Risk Assessment.
Policy creation.  Assurity River Group helps organizations draft effective information security policies and standards to ensure ongoing security with all electronic communication, for both HIPAA and GLBA compliance.
Solutions.  Assurity River Group can provide and implement:

1. Information Security Policies specific to your organization
2. Internet Banking policy and standards
3. Secure Remote access and Telecommuting standards and solutions.
4. We have experience in implementing systems to enable employees to securely transmit encrypted documents.
5. Assurity River Group can also provide a number of remotely managed services to protect your computer systems from pervasive threats on the Internet.

Contact Jeff Olejnik (jolejnik@assurityriver.com) at 651.259.6888 for more information.