Just because you've tossed your old laptops into the dumpster doesn't mean the data they contain is necessarily headed for the landfill, too.
Any computer device with fixed storage, such as a hard drive, may include sensitive corporate information. Data on equipment scheduled for disposal should be either destroyed or made unreadable. Otherwise, anyone who handles that equipment -- whether it's a desktop, laptop, or personal digital assistant (PDA) -- could open an unwanted back door into your business via its data and secrets.
A data breach can be nasty to your business. Lost customer data, for instance, could lead to bad PR and numerous lawsuits. As with larger companies, data destruction is required for compliance with government regulations such as the Sarbanes-Oxley and Health Insurance Portability and Accountability acts. Incomplete data destruction can come back to haunt small and medium-sized businesses (SMBs) later, when auditors and regulators come a-knocking.
For large companies that can afford military-grade data-wiping equipment, data destruction isn't an issue. For SMBs with thin resources and tight budgets, data destruction isn't quite so easy.
Setting procedures for data destruction
There are different ways SMBs can destroy data at reasonable cost and with existing IT staff. Data destruction for SMBs boils down to two steps:
- Create procedures for identifying and separating assets for disposal.
- Employ tools or services for actually destroying the data.
The first step is creating a disposal procedure. Make sure your IT staff keeps a complete inventory of all IT assets and equipment at your SMB. This list should include not only desktops and workstations, but all mobile equipment as well, such as laptops and PDAs.
 |
|
|
|
|
Data on any equipment scheduled for disposal should be either destroyed
or made unreadable.
|
|
|
|
|
|
|
|
|
|
This may sound like a tall order for an SMB. But even in a small company, the purchasing, distribution, maintenance and disposal of all IT equipment should go through a single point of contact or group, such as the IT department.
When equipment is ready to be decommissioned, it should be returned to the IT contact or department that issued it. It should then be tagged for disposal and locked in a separate location until it's actually ready to be physically thrown out.
Ideally, all equipment should be wiped of data prior to disposal and then catalogued in an inventory as clean and safe for removal from the premises. But that's not always possible, particularly if the data is destroyed offsite by the disposal company that also hauls away the equipment.
Carrying out data destruction procedures
After equipment is tagged for disposal, the next step is to use tools or a service to actually destroy the data stored within it, such as on hard drives. Since data destruction tools can be expensive for an SMB, the best alternative is to outsource data destruction. That usually means contracting with a vendor that can handle the physical disposal of the device as well. Make sure the vendor is certified by the National Association for Information Destruction Inc., an industry watchdog group.
Next, make sure the vendor allows audits to ensure that data has been properly destroyed. A vendor should be able to track pieces of equipment or media and provide a certificate identifying everything that has been destroyed.
Audits should also include periodic site visits to check on the vendor's physical security. And you should get answers to the following questions:
Is the area where equipment is stored prior to media destruction locked and secure?
What procedures are used to destroy the data?
Can the procedures be verified?
Does the vendor inventory and track what it picks up, or what it was sent, to identify what was destroyed?
Data destruction vendors for SMBs
Data destruction vendors geared toward SMBs include Recycle Your Media, Computer Recycling USA, Asset Disposition Group Inc. and DMD Systems Recovery Inc. These companies all either dispose of or recycle electronic equipment and provide data destruction. They all pick up equipment or media at your location and, for magnetic media, offer degaussing, which demagnetizes the media and returns it to its original unrecorded state.
DMD's destruction methods, in fact, meet Department of Defense 5220.22-M specifications for military-grade destruction of sensitive data. This standard is part of the Department of Defense's National Industrial Security Program Operating Manual (NISPOM) and is considered the strongest standard for wiping hard drives and devices.
For small-scale data destruction on individual devices, including PDAs and BlackBerrys, there are a number of tools that also meet the NISPOM standard. Active@ KillDisk from LSoft Technologies Inc. and NecroFile from The Nth System are just two options.
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He has a regular radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at www.theitsecurityguy.com.
