According to the Department of Justice, the term “breach” as it relates to data “is used to include the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to information, whether physical or electronic.” While the Justice Department outlines very specific conditions they consider to be a breach of data, anyone who is responsible for asset management should take special note of one particular condition: “loss of control.”
The Business Dictionary defines “loss control” as the “multidisciplinary approach in which human, engineering, and risk management practices are employed to reduce the frequency or severity of losses.” In respect, this definition also defines a key responsibility for asset management and information security: to “reduce the frequency or severity of losses.”
An effective IT asset management system can help reduce the frequency of loss by tracking assets from the moment of procurement through deployment and utilization to decommissioning and/or disposal. While an effective system is important for a company to understand the state an asset is in, the protection of the physical asset itself remains the responsibility of the employee to whom the asset is assigned, especially as it relates to mobile devices such as smartphones, laptops and tablets. Since 2005, the Privacy Rights Clearinghouse has reported there have been 1,318 known data breaches affecting over 184 million records attributed to lost or stolen IT assets. Mobile devices, essential for organizations to make sure that their employees have access to information on the go, are the primary reason for the recent increase in data breaches attributed to lost or stolen assets. When a data-bearing asset is lost or stolen, the immediate impact on a company includes:
- The cost of replacing the lost or stolen asset
- The potential unauthorized access to the information stored within the asset resulting in a data breach
- Depending on a company’s data backup practices or lack thereof, the potential for permanent loss of data stored within the asset
Reporting an actual or potential data breach could result in significant financial and reputational impact to a company.
As the use of mobile devices increases, companies must respond with proactive measures to help reduce the frequency of loss. Measures should include:
- Establishing consistent policies and procedures
- Educating users about managing and protecting their assets
- Maintaining accurate tracking of the asset by user and position responsibilities
- Protecting the data, including performing online backup and recovery, encryption, and a remote destruction and/or wiping of data capability
- Reducing the amount of information stored by implementing a strict need-to-know policy
Unless a company maintains a strict need-to-know policy, understanding the severity of a lost or stolen asset can be difficult to determine. Need-to-know is one of the most fundamental security principles that limit employee access to information to only what is necessary for them to complete their jobs. This principle also applies to information stored on an employee’s assigned IT assets. A company must first determine if data residing on each IT asset is necessary for the employee to complete their job. If not, the data should be removed. Need-to-know principles limit the amount of information stored on assets, which reduces the impact of a data breach as the result of a lost or stolen asset. Also, stored data that is limited to only what is necessary for employees to complete their work provides a better understanding of the data that may be compromised if an asset is lost or stolen, thus allowing the implementation of more specific damage control measures to address the potential data breach.
The Disposal Process Hole
While IT asset management programs place much emphasis on managing IT assets during the procurement, deployment and utilization phases of asset management, the process associated with the decommissioning and/or disposal of end-of-life assets has long been overlooked. A 2013 Osterman study revealed 16% of the companies surveyed suffered a data breach due to improper disposal.
With the increasing data security and environmental regulations, many companies choose to work with established information technology asset disposition (ITAD) providers to handle the process from end to end. Failure to meet regulatory requirements can result in costly fines and risks to the company’s reputation. For this very reason, ITAD service providers have become an important link in the overall lifecycle management of IT assets. A reputable and ethical ITAD provider will extend your IT asset management program by ensuring a secure and documented chain of custody for decommissioned assets through final disposition.
A secure and documented chain of custody is an absolute necessity to eliminate “loss of control” of assets in transit and throughout the disposition process. When your ITAD provider takes receipt of your assets, it is imperative that a verification of receipt of each asset at the customer site is confirmed. This confirmation transfers the custody of the assets from the owner to the ITAD service provider. Secure transportation to the ITAD processing facility includes the proper preparation of assets for safe transport and locked and sealed vehicles tracked by a global positioning system (GPS).
Once the assets arrive at the ITAD processing facility, an additional verification must take place to ensure the seal on the vehicle is intact and that there is no evidence of tampering having taken place during transit. The assets are then off-loaded into a secure, access-controlled warehouse with robust security systems to deter, detect and delay an intruder’s attempt to gain access. To ensure that the assets shipped correlate with what is received, they are reconciled and individually entered into an ITAD asset management system and tracked through the decommissioning process, including data sanitization.
Reducing the frequency and severity of losses can be accomplished through the implementation of a strict need-to-know policy and an asset management program that addresses and tracks individual corporate assets throughout the lifecycle, including decommissioning and disposition.