Today’s IT asset managers have the superhuman ability to govern all of a firm’s technology, addressing the diverse functions in the software and hardware lifecycles. In addition to a keen sense of detail and analytic skills, Data Erasure Management (DEM) is part of the tool belt that modern IT asset managers use to avoid data breaches, stay compliant with industry regulations and be in control of the data erasure process.
Data erasure has become an increasingly critical function in day-to-day business operations of the organization. The massive growth of data, changes in technology, data fragmentation, increasing regulatory oversight and data breaches are among the factors forcing the change. Traditionally, data erasure has been associated with end-of-life IT assets only. However, data reaches end points when it becomes redundant or obsolete and needs to be erased even if the device is not retired. In other cases, the data is simply too sensitive to exist on the device and requires a strict data retention policy. In the above cases and similar ones, meaningful processes are needed to effectively manage and eradicate data throughout its lifecycle.
The best-of-breed DEM includes a policy and practice for all devices and platforms. It uses advanced data erasure technologies that enable complete or selective data erasure and can be executed locally or remotely. A top-tier Data Erasure Management strategy will require that each erasure be measured and audited for compliance. Finally, a proper DEM secures sensitive data in the unfortunate event that something goes wrong.
Covering All Your IT Assets
The first step is to map where data exists and design a data erasure policy that covers all IT assets in your organization. Often, the assets include a combination of PCs, laptops, notebooks, servers and storage environments, LUNs, virtual drives, virtual machines, smartphones, tablets and flash media devices. Tracking these assets is as important for good ITAM practices as knowing where your keys are in cryptography. Only through tracking can you define the how, when, where, by whom and what about the data that needs to be erased. Many times, the monetary value of these devices (like USB flash drives) can deter firms from exacting an appropriate security policy. Data retains value, no matter the medium.
Good Housekeeping Practices
End-of-life data erasure should take place as soon as data is no longer needed, and always before the device where the data is stored is reassigned, recycled or decommissioned. Data erasure can be executed regardless of the location or person doing the erasure – either in-house by staff or at an off-site location by a trusted ITAD partner. The important process features are that it ensures 100% security and automatically generates tamper-proof reports that can be saved in a centralized management database for a complete audit trail. After deciding that you desire a secure process, you must then consider who will own the process. Can your ITAD partner or service provider handle all your IT assets? Do they use certified data erasure tools for a wide range of devices, from PCs and office servers to mobile phones and tablets; or are they limited in scope? These considerations, plus the concerns of shipping devices with sensitive data, are causing an increasing number of organizations to implement a double layer of security by first erasing data in-house before releasing the assets, and a second time by an ITAD partner who collects the devices.
Remote and Selective Data Erasure
IT asset managers should also consider having a method to erase devices at remote offices. One cost-effective way to do this is to execute over-the-network erasure – either as a “pull” or “push” method. Briefly, the “pull” method requires assistance from someone at the remote location while the “push” method can be executed over the network by the administrator to the target device(s). Organizations can accrue significant savings from avoiding travel and operating costs by leveraging existing personnel instead of using a service provider. In addition, remote erasure over-the-network approach keeps the erasure process ownership in-house. Over-the-network methods can be applied to both end-of-life devices (where total data erasure is preferred) and selective data erasure. For example, file and folder level data erasure can be implemented and automated for regular data housekeeping if the devices are still being used by the same user. Erasure reports can be set to be automatically sent to the central asset management suite.
Measure and Audit Compliance
The best erasure is the one you can prove. Growing legislative aspects drive the need for a unified data erasure management. National and international standards and regulations like ISO 27001, ISO 15408, HIPAA, FACTA, SOX, GLB, NERC-CIP, IRS Pub-1075, PCI-DSS, and many others require secure data removal. It is no longer acceptable to use primitive tools or methods for data eradication that cannot be uniformly measured and verified. Certified data erasure software that automatically generates detailed, digitally-signed reports for each erasure will provide you with the necessary proof of erasure. Using a data erasure vendor that can address erasure technologies for all your devices simplifies the process and will save you time and money.
Organizations are also increasingly looking for sustainable and environmentally friendly ways to use and dispose of electronic waste. For example, physical destruction of devices is unnecessary in many cases and it can be hazardous to the environment or human health. Certified, secure data erasure is often a better option, increasing the longevity of the device and without the risk of exposing employees to dangerous or harmful disposal practices.
Take Control of Your Data Erasure Process
A poll by Compliance Standards found that lost or stolen devices affected nearly 58 percent of U.S. enterprises with 10,000 or more employees. For example, the infamous case of an Atlanta-based soft drink manufacturer losing sensitive data of 74,000 employees this year due to theft at the IT decommissioning phase. Since you must deal with the physical assets, why not close the loop between them and data management?
Keeping track of your IT assets from the day they arrive at your facility to end-of-life is crucial. Lost or stolen assets are incredibly obvious business security risks, but as we’ve seen in recent days, they also have the potential to cause exponential degradation of your organizations’ brand — as well as your own personal credibility. This degradation can lead to declining business opportunities, losing your job, or even worse, getting fined or jailed.
Now that you’ve been persuaded into championing DEM and establishing a clear policy that includes a tracking method of the IT assets, you also need to have a policy that covers the lifecycle of data from the first time data is acquired to the point of data becoming obsolete and needs to be erased. Effective DEM can do just this for you.
How does one find the correct tools to assist in the implementation and ownership of proper DEM? Here are a few questions to ask:
- Can the vendor address all of your data erasure needs? You want to get a provider that can address all your existing and possible future IT asset erasure needs. Even if you’re not currently overseeing all of the IT devices in your organization, your colleagues – and your organization – will benefit from having just one, centrally managed solution. Dealing with several vendors and different tools that don’t integrate with your existing systems or with each other will be at best a continuous, time-consuming agility task and, at worst, an asset manager’s nightmare manifesting itself in a form of a data breach or a lack of a uniform audit trail.
- Can you verify erasure? Automatically generated, detailed and tamper-proof erasure reports are your best evidence to prove data erasure. They are an essential part of compliance, regulatory and legal auditing requirements.
- Is there a centralized storage of erasure reports for audit trail? Does the tool seamlessly integrate with your existing asset management and enterprise resource planning systems? Having a centralized management console that can be used for erasure license management and for storing erasure reports is not only critical for a complete view of your organization’s IT asset / data decommissioning processes, but also for easy access to the erasure reports that allow you to create that detailed audit trail. You want to make sure that this tool seamlessly integrates with your existing asset management and enterprise resource planning systems for an improved process and enhanced reporting capabilities.
- Are the erasure products certified and verified by third-parties? Recognized certifications and third-party approvals and endorsements give credibility to the vendor and its products. Putting products through a rigorous testing not only verifies the products capabilities, but also implies the vendor’s commitment and responsibility to its end users.
- Does the vendor provide technical support and product updates? Timely access to technical support can save precious resources for your organization. IT asset managers don’t have the time or interest to chase down a vendor to try and get answers in their compelling issues. You want to look for a comprehensive, technical FAQ on the vendor’s website and ask if they have a local support organization that can help you when needed. Regular product updates should be provided simply because of the speed at which new technology is appearing in the market as well as for an enhanced user-experience and customer care.
- Does the vendor invest in research and development? Investing in R&D is a good indicator of company’s future plans, bringing a level of commitment to the end user. Evolving technologies and growing regulatory aspects mean constant adjustments to your data security policies. You want to ensure that all of your devices are covered and that your vendor can provide you with the latest data erasure technologies that are tested and verified not only for the vendor, but also by relevant third parties.
- Is the vendor’s financial status stable? When working with any vendor, you try and assess the company’s financial health. Is the company strong enough and likely to still be in business in the coming months and years? This assessment can be a differentiator for the enterprise.
Implementing Data Erasure Management (DEM) policy and practices can save you a lot of time and money especially when you don’t have to chase down the proper way to deal with the problem at the end of IT asset lifecycle. With a little planning, the right tools, and a short implementation cycle, a quality DEM plan can create the added security that will ensure that your organization (and your likeness) doesn’t end up on the Prime Time news ticker for the wrong reasons.