by Chris Rodinis
December 1st, 2012
blog.ewastewiz.com
www.powersourceonline.com
www.c-i-a.com
The more money you have the more responsibility you have. The more property you have the more responsibility you have. The more computers that there are the more need for data security. Acording to the Computer Industry Almanac www.c-i-a.com , the U.S has 311 million computers in use. ID Theft Center (dot) org reports, well, brace yourself:
2012 Total Breaches Identified by the ITRC as of 5/1/2012 is 153. Total number of records exposed is 5,931,947. If this is not a serious problem then nothing is. The need to protect and defend and destroy data has never been greater.
An oft cited Gartner report showed that managing data security when disposing of hardware remains a top concern of IT managers. Interestingly enough a full 33% have zero procedures for the security of end of life computers.
Having no plan for secure data disposal and retiring old equipment is a plan to fail. So where does one start with a plan?
- Define the scope, the objectives, and the risks of retiring your hardware
- Understand the choices in balancing risk versus security
- Develop criteria and standards for your decision making process
Remember that the main concern is keeping secure confidential data out of the criminal hands. Along with that is the legal responsibilities of securing data, which if ignored, may have extremely bad monetary consequences or even jail time. Here are the main regulations covering data security. Fines can reach $250k and more not to mention up to five years in prison.
Rules of the Destruction Road
HIPAA – Health Insurance Portability and Accountability
This legislation is in place for protecting the privacy of personal medical records by guarding the confidentiality of personal medical information and by making sure this personal data remains safe.
GLBA – Gramm-Leach-Bliley Act
This legislation regulates the methods financial companies use in caring for their customers personal and sensitive information.
SOX – The Sarbanes-Oxley Act
This legislation regulates the way companies process their investors finance records.
FACTA – Fair and Accurate Credit Transactions Act
This legislation is for protecting individual consumers from fraud and theft of identity.
CERCLA – Comprehensive Environmental Response, Compensation, and Liability Act
This federal legislation is for the proper governance of clean up and processing sites containing hazardous waste
RCRA – Resource Conservation and Recovery Act
This legislation is for the protection human and environmental health from hazardous and toxic waste. Furthermore it is a proponent for the conservation of energy and natural resources. In general, it focuses on reduction of waste going into landfills. Its main focus is best practices management for the environment.
Securities and Exchange Commission – SEC Rule 17a
These are SEC commission requirements for the business world of securities, stocks and bonds. These regulations concern the data security related to financial documents, customer records, associated personnel records, and certain other matter.
California Senate Bill 50 (highlights)
A person who exports covered electronic waste, or a covered electronic device
intended for recycling or disposal, to a foreign country, or to another state for ultimate
export to a foreign country, shall do all of the following at least 60 days prior to export:
(a) Notify the department of the destination, disposition, contents, and volume.
(b) Demonstrate that the waste or device is being exported for the purposes of
recycling or disposal.
(c) Demonstrate that the importation of the waste or device is not prohibited by
(d) Demonstrate that the exportation of the waste or device is conducted in
accordance with applicable United States or applicable international law.
(e) (1) Demonstrate that the waste or device will be managed within the country
NORPDA, (Notification of Risk to Personal Data Act), mandates
businesses and government to inform customers of security breaches that could cause confidential data to be compromised
Data Destruction Details
Surely destroying data should be easy. Well, it is if all you want or need to do is shred a hard drive into little bits and pieces. However, often times, the goal is to destroy the data but not the drive itself. Computers get replaced on average every three to five years. After this amount of time the newer generation will have more processing speed and greater storage capacity.
However, older computers still have value even though they are not the latest generation. Frequently, schools and institutions can reuse old computers. The subject of reuse will be discussed in a future article.
The goal is to strike a balance between data destruction and maximizing the value of the hard drive. Just as clients are different, computers can be categorized into three categories:
home system, business system, and mission critical system. Each category has different needs and is a different balancing act.
Data disposal uses primarily four different techniques: deletion, user disk wipe, three pass pro wipe, 7 or more pass wipe.
Deletion only removes markers that enable overwriting. Without markers present one cannot overwrite the drive, however the data is still present on the drive. By implementing a basic utility, one can recover deleted files. Deletion has its purpose but data destruction is not one of them.
User Disk Wipe: Could be for an individual at home as long as the software is compatible. If parts of the drive are unwritable then those parts can not be wiped clean. Depending on the individual skills and the ability to verify complete data removal, this method may not be appropriate.
Three Pass Disk Wipe: This solution is specified in DoD 5220.22M conformance requirements. What happens first is 0’s are overwritten, then 1’s, then 1’s and 0’s. This is the dominant practice for professional data destruction companies because this method matches the needs of most clients.
7 or more passes: This one is similar to the three pass and is usually specified by governments, finance companies and medical facilities.
Manual verification: This happens frequently with the three pass. Various methods are used to double check and ensure all data is completely gone. The visual inspection is most important in verifying complete erasure.
Degaussing: A giant magnet inside a box. Do not use at home unless you want to disable all your electronics permanently! The degaussing absolutely removes all data, however the hard drive is rendered completely useless.
Shredding: A giant metal blender that chops the drive to little tiny pieces. Usually the drive is overwritten first.
Depending on the risk associated with the data and opportunity to maximize value is how one decides which method to use. For example, low risk data can use a less intense data removal method. Data at high risk, then use the strongest method possible for obvious reasons.
21 Do’s and Don’ts
- Deletion and formatting only hides data; it is still there.
- The proper utility per system is an important necessity.
- Watch out for bad sectors because the data is stuck there and might be missed by even the best wiping tools.
- The pro’s verify everything and document it for audit reasons.
- You are responsible for the data until a professional takes possession. So if you do it yourself you may continue to be at risk. With a professional you are indemnified.
- Avoid doing it yourself because no off the shelf product for data erasure is perfect.
- To the boot campers; never assume! Especially when it comes to data erasure, use an experienced professional to truly know the data is permanently destroyed and not hidden.
- Rather you removing data and donating, let a professional company do it so you know that it is done right.
- OEM trade in programs are very helpful and they will handle everything by book with best practices and ISO or R2 standards.
- Serialized reports are critical for audits
- Make sure there is adequate physical security around stored or transported equipment
- Make sure there is chain of custody accountability that is verifiable.
- Make sure you are using a company that has all tools available
- The DoD standard should always be used and perhaps exceeded.
- There must be manual or inspection and verification
- Certificates of destruction are a part of indemnification.
- Shredding and degaussing should be available whenever necessary.
- Your destruction company should be flexible and be able to handle all technologies such as disk tapes, optical drives, SCSI, and handhelds
- Look for an ISO 9000 company
- Look for a company that provides necessary details
- Make sure you are indemnified with documentation.
For secure data destruction you are welcome to contcact:
www.EwasteWiz.com