Most of the serious and well-known data breaches that have been in the news are the result of various forms of hacking. As a result, most of us are familiar with terms such as Phishing, Malware, Man-in-the-Middle, Bait & Switch and the rest.
The other form of data breaches are the result of the physical theft of devices that contain data or of devices that provide data access via networks or cloud-based applications.
A large part of the physical control of various data bearing assets (which include any device that can store and retrieve information) can be examined by answering two questions – “Where are my data bearing assets?” and “What is happening to them at each stage of their movement?” This is especially important as these devices leave your direct control as they are refurbished or recycled.
The secondary questions that spin out from the first two can form the basis of a new data security plan or a thorough examination of an existing plan. To identify possible points of vulnerability in a data security plan, examine how data bearing assets are used and how they move. First, how they move in their normal usage, e.g. through employee travel, movement among facilities, use by telecommuters, access to public wi-fi networks, etc. Secondly, how these devices move through their own lifecycle, from implementation through hardware/software updates, repair, replacement, refurbishing and finally end-of-life disposal/recycling.
Once you understand where materials are and have an idea as to where they are going, you can then address the next set of issues that relate to their status and processing. Such topics include:
- Condition assessment
- Deciding to reuse or recycle
- Disassembly of whole devices
- Data sanitization/destruction
- Testing/verification of sanitized devices
- Secure shipping/receiving
- Quality control
- Regulatory compliance
Let’s briefly consider each topic…
A robust data security program will have a method for tracking whole devices as well as the data bearing devices (such as hard drives or solid state drives) that they contain. Remember that, once removed, a hard drive is a stand-alone asset that needs to be tracked. This tracking should continue through end of life, including any downstream processing/refurbishing/recycling.
It is important to continually assess the condition of data bearing assets throughout your enterprise. The most common criteria for this assessment are age, physical condition and storage capacity. The results of these assessments will determine whether a data bearing device can be refurbished and redeployed. If not, the device should be sent for end of life processing, which should include some form of data sanitization or physical destruction.
Depending on the size of your operation and the age of your IT assets, you might be deciding whether to keep certain devices and reuse them within your company or dispose some or all of them through ITAD channels. An example might be an employee with a company-owned laptop and cell phone who leaves after only a few months. Should these devices be data sanitized and reset for a new employee? If so, should this operation be performed internally or outsourced? The answers depend on the skills of your internal IT staff and your reliable, vetted connections to outsourced providers of refurbishing services.
As whole devices are disassembled, either by your internal staff or an outsourced provider, it’s important to know the location of all data bearing devices as subcomponents of printers, cell phones, fax machines, laptops, etc. If the disassembly is to be performed internally, be sure to track not only the data bearing components, but also other subcomponents such as batteries that could pose an environmental or health risk. If this function is outsourced, work with a certified recycler to ensure safe and secure handling of your devices.
This is the process of removal of information from data bearing assets in varying degrees, from clearing memory using menu commands through the complete physical destruction of a device so that no information can be retrieved, even using state of the art laboratory methods. The NIST 800-88 Guidelines for Media Sanitization, Revision 1 is a good resource for detailed information.
Once data bearing assets have been refurbished or recycled, it’s important to validate that the process was effective. The NIST 800-88 Guidelines suggest a 20% sampling of devices that have been processed. If using an outsourced vendor, an audit of their verification process is highly recommended. Those audits should focus on testing/verification equipment used, competencies of personnel and access to all testing logs and other documentation.
This is an easy-to-overlook point of vulnerability in a data security program. Closed, locked containers and signed shipping documentation is the absolute minimum for secure transport. Depending on the level of sensitivity of the data being transported, consider the use of container seals, electronic trackers or locked containers with limited access to keys or lock combinations.
As a continual check on your data security process, consider a quality control based examination of all subprocesses and outsourced services. Ideally, this check should be performed by an external resource familiar with your internal material flow as well as current data security standards such as ISO27000, R2:2013 or R2v3, or NAID.
There are established regulations for data security issues, including FERPA, HIPAA, FISMA, GDPR and many others. Depending on your field and the operational or geographic areas of your customers, one or more of these sets of regulations might apply. Fortunately, a lot of general background information on compliance is available on the introductory pages of consulting and governmental web sites, and is a simple Google search away.
There are many approaches to the creation and evaluation of a data security plan. Tracking the physical flow of data bearing assets while simultaneously tracking their lifecycle stages can expose security vulnerabilities and suggest solutions to address those conditions. As is the case with any risk analysis, the greater the number of situations and contingencies you consider, the lesser the number of unforeseen situations in the future. After examination of your resources and needs, you might consider becoming certified to one of the standards in the ISO 27000 family for an internal Information Security Management System (ISMS). For end-of-life data sanitization or data destruction, use of a recycler certified to the R2 or NAID standard is highly recommended.