By: Clive Longbottom, Head of Research, Quocirca
Published: 16th September 2013
Copyright Quocirca © 2013
Long gone are the days where an old piece of IT equipment could just be put in the skip round the back of the building and left to the bin men to pick up. Now, should any personal identifiable data (PID) be found on such a device, your company could be facing significant fines, considerable brand damage and your directors could be on their way to jail.
Nearly any piece of IT equipment will have some data stored on it—even network switches could have a username/password stored in flash memory, and if your sysadmins use the same pair across different equipment, a clever blackhat could use this to gain access to your main systems.
There are many companies, large and small, which will offer to dispose of old equipment for you, often touting that they operate against the waste electrical and electronic equipment (WEEE) rules. However, data security is far more important than WEEE—and needs far more to be done than most people think about. Let’s just focus on data held on devices that contain a disk drive of some sort.
An organisation must have a good understanding of how it wants its data dealing with—this requires the business to create an easily understood data classification. Low level stuff may be capable of being overwritten or otherwise erased (for example, via degaussing the drive or overwriting it to the British HMG Infosec Enhanced Standard 5). Although this will generally make any data irretrievable to those without very deep pockets, no-one should assume that an intact drive is not capable of having previous data recovered from it. Where any doubts remain as to the value of the data, full disk destruction may be required. For larger amounts of equipment, the data security company may be able to provide a mobile disk destroyer, so that the customer can see each drive being destroyed. However, in many cases, the equipment will need to be sent to the data security company’s facilities to be dealt with—which introduces new problems.
The first thing to look at is how will a third party transport your equipment to its premises? If it just turns up in a standard van and takes the stuff, how do you know what really happens from there on? No—you need to make sure that the company is coming to pick up an agreed set of items. When they turn up, there must be a full handover including signatures and time stamps as to what both parties agree was picked up. The equipment should be placed in a secure environment within the vehicle that the driver has no access to—and should be strong enough to withstand most crashes or other problems that could occur on the way.
The vehicle should be fitted with GPS transmitters, and the company should be able to track exactly where the driver has been, any stops made along the way and any variations against agreed path.
Once the van gets to the facility, the customer should be able to be present (if they so choose) when the equipment is taken from the van. The equipment must be compared against the agreed inventory, and should also be under video surveillance from the point of unloading onwards.
If the equipment cannot be dealt with straight away, it will need to be stored securely in the interim. The building that it is stored and dealt with should be secure in itself, through perimeter security using good locks and security monitoring via CCTV and guards, as well as anti-ram raid techniques such as bollards around the outside of the building (or large planted troughs to look nicer) as well as internal monitoring of all activity.
Those working on the equipment in any capacity should be CRB checked—but should still not be trusted. Everything that is done should be covered via constant CCTV, so that a full audit trail of where your equipment was and what actions were carried out on it by who can be shown to you at any time.
Where any disk drive (or other component) is removed from the main equipment, this should be shown via provable records by filming serial numbers or other identifiable asset tags so that everything can be matched up along the whole trail.
The actions being taken against the hard drives—whether these are secure reformatting or disk destruction—must again be provable. The serial numbers or asset tags should be filmed before each action and time stamped.
Once the actions are completed, the end result needs to be logged against the original inventory so that you, the customer, has full proof of what has been carried out.
There are not many companies in the UK that are capable of doing all this—yet there will be many who will come to you promising that they are fully secure in the way they deal with the disposal of data-rich items. Just look at the press and see the number of disk drives turning up on eBay, physical auctions and at car boot sales and ask yourself if you can really trust the person you are talking to. Turn up unannounced at their facility and see for yourself what they do. Check their credentials—ISO 27001, ISO 14001 and ISO 9001 should be baselines. WEEE storage and processing licences must be available showing the facility to be an Authorised Treatment Facility (ATF). CCSG and CCTM accreditation is useful where the degree of data erasure needs to be guaranteed. Other standards and accreditations may be useful depending on your needs.
A couple of companies that Quocirca is aware of in the UK that can manage hardware disposal in this way are Bell Microsystems and Ecosystems. Both companies offer additional services over and beyond data security—but for organisations looking to make sure they dispose of hardware in-line with current regulation such services should not be overlooked.
Posted: 16th September 2013 | By Malcolm Charnock :
Nice to see such a detailed and planned IT asset deposition process. I would suggest requesting your preferred ITAD holds the DIPCOG recognised ADISA (www.adisa.org.uk) accreditation. There are two extremely good reasons for this. One is to ensure the ITAD has a secure and robust business model, too many ITADs in the UK offer free recycling and as the ICO recently stated while handing out a Â£200k monetary penalty, "we should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free".
The second reason for mentioning ADISA is that every accredited ITAD is subject to spot audits as well as annual audits. The spot audit ensures that best and secure practises are in place every day and not just when auditors are expected. In the present economic climate we know of many companies who cut costs by using free erasing software and other means to keep their head above water.
The messages above were all contributed by IT-Director.com readers. Whilst we take care to remove any posts deemed inappropriate, we can take no responsibility for these comments. If you would like a comment removed please contact our editorial team.
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.
Published by: electronicdawn Ltd.