Whether you are relocating, refreshing your IT estate or heading to the cloud – you will undoubtedly generate redundant IT hardware and as a result will need to ensure any residing data on that equipment is adequately erased.
When choosing to trust a new partner to manage your IT assets and confidential data, you can often face a dilemma. How do you know you’re making the right choice? What criteria, industry guidance or performance measures do you work from, to ensure your decision is solid?
Disposing of devices properly
You should ensure when choosing an ITAD (IT Asset Disposal) partner that they provide you with comprehensive audit trails, to ensure you know where your hardware is at all times and its final destination, i.e., whether equipment is resold, reused or recycled. Regardless of the route your hardware takes, you must consider your options for ensuring that data stored on the hardware has been securely erased.
There are four methods that can be considered and in some cases, a combination of these methods may be necessary to achieve the result you require. This is dependent on your own internal policies as well as the type of media you have to dispose of.
Options for secure data removal include:
Data wiping/overwriting – This is the most popular method of data erasure, as it allows for the resale/reuse of devices whilst ensuring the data has been safely removed. There are many software data erasure solutions on the market that allow for complete data removal and a report to prove that it has been erased properly. You should look to ensure that any process for wiping or overwriting data is completed in line with NCSC (previously CESG) standards. You should also ensure you ask your provider what will happen to any drives that cannot be wiped using software – will these be physically destroyed? What about solid state or hybrid drives – how does your chosen provider handle these technologies?
Degaussing – using a device that produces a strong electromagnetic field to destroy all magnetically recorded data, leaving the domains on hard drives and floppy discs in random patterns with no preference to orientation, thereby rendering previous data unrecoverable. When choosing a Degausser you should also ensure that it has been approved by NCSC, as this ensures it is has been independently tested and verified.
Shredding – The mechanical process to crush chop and shred devices into smaller pieces, is a standard process. The size of the shredded material is usually 25mm down to 6mm. This fragmented material is then sent on to refining partners who will continue the refining process. What record of items shredded will you receive? What destruction certificates are included for your own internal auditing records?
Granulation – This is the action of extracting and destroying data from an information system in the form of drives and other such media by cutting (or shredding) it down to granules 6mm or smaller.
Other considerations will focus on whether you require your data to be disposed of on premise or off site at your provider’s facility. What capabilities does your ITAD provider have to offer?
Implications of improper sanitisation
The business implications of a data breach are very significant. Not only would it damage your company’s reputation if customer information is released via a breach, but if your company’s Intellectual Property is accessed, stolen or shared with the public, your company may lose its competitive edge.
From a legal perspective, if data bearing media containing confidential customer or employee information is accessed, the company could also breach the Data Protection Act (DPA), leading to a substantial fine from the ICO – currently up to £500,000. Looking ahead, when the EU’s new General Data Protection Regulation (GDPR) comes into force next year, companies must inform affected parties and the ICO within 72 hours of a breach and will face fines of up to €20 million or 4% of global revenue.
The value of data is making every business, and individual, a potential target of cyber crime. Organisations therefore need to take every possible step to minimise their risk of compromise and understand the legislative requirements. For example, an organisation that handles personal information about individuals has obligations to protect that information under the DPA and public authorities have a legal obligation to make official information available under the Freedom of Information Act. Under the forthcoming GDPR legislation, organisations must also seek permission from individuals to collect information, inform them how that information will be used and ensure it is erased securely after a set timeframe.
Matthew Prince, a data erasure specialist at Kroll Ontrack advises:
“Organisations should take the same level of care with disposing of data and devices as they do protecting it in an active IT environment. It is imperative to understand the entire lifecycle of your data and IT assets, ensuring that any gaps in the process are addressed. With the impending GDPR legislation, organisations should revisit their data transfer, retention and erasure methods ensuring that they have an accurate file catalogue. Organisations should also ensure that third party providers confirm that they remain compliant.”
Audit trails and accreditations
When you look to secure a provider to deal with data you should ensure they can provide you with a full audit trail so you can be assured you know where your equipment (and data) is at all times. What proof of data erasure or destruction will they provide? It’s worth finding out if they utilise NCSC approved software for data erasure and if you have requested physical destruction via shredding, will they issue you with certificates of destruction?
Ensuring your provider has a proven track record within the industry is also vital. Find out what accreditations they hold and what standards and regulation do they adhere to. As a general rule, any ITAD partner you choose should be compliant with the EU Regulation on Waste for Electrical and Electronic Equipment (WEEE) and should hold a waste carriers licence. They may also be an Approved Authorised Treatment Facility (AATF).
Key questions surrounding their environmental policy and downstream processes should be considered. For example, do they adhere to any environmental standards – i.e., ISO 14001? What percentage of equipment they collect is re-used, re-sold or refined and what is their landfill policy?
Another ISO standard that serves as a solid indicator of a reputable provider is ISO 27001, which demonstrates, amongst other areas, that they have systems in place for the secure disposal of redundant IT equipment and secure destruction of all confidential data.
Adhering to specific industry standards such as being a member of ADISA is also important. ADISA (The Asset Disposal and Information Security Alliance) is an organisation that recommends standards for safely disposing of IT equipment, while minimising the risk of exposure and misuse of any sensitive data stored on that equipment. The ADISA audit process is multi-layered and includes full audits, unannounced operational audits and forensic audits. This ensures that ADISA certified companies are constantly checked against this industry specific standard.
Know where your data is, and who has it
What guarantees does your chosen provider give when equipment containing data is in transit? If they utilise any third party suppliers in their supply chain, what assurances do you have regarding a solid chain of custody route for your equipment? For example, you should ensure that any vehicle used in the process has GPS tracking enabled.
You should also be asking questions about their staff, particularly if they utilise any third party or temporary staff members. Find out if their employees have been vetted with the relevant background and security checks, taking note of how recently these checks were completed.
By asking these questions, you should be best placed to choose an ITAD that can provide the highest level of security and compliance. If your data ends up in the wrong hands it could spell disaster for your organisation, therefore make sure any provider you choose has been thoroughly assessed beforehand.
This was a guest article by Laura Cooper at EOL IT Services.
How do you dispose of your IT assets? How do you guarantee that your data is completely destroyed? Let us know by tweeting @OntrackUKIE