Re-evaluating Data-Destruction Policies

The recent events, surrounding the exposure of sensitive missile information on a used hard drive; suggest a review of corporate and organizational data-destruction policies. Lockheed Martin, with a policy of on-site data destruction, found itself in the unenviable position of exposing sensitive information regarding the U.S. Terminal High Altitude Area Defense into the public domain. This missile defense information was discovered on hard drives purchased through eBay. (http://www.upi.com/Top_News/2009/05/08/Used-hard-drives-contain-sensitive-data/UPI-22481241759678/)

This type of on-site policy, which is ubiquitous as a best practice, is failing organizations and is the reason why a review of data-destruction policies is needed now. How can esposure to both sensitive information and liability be prevented in the future, if companies already have a policy of on-site destruction? Let’s look at a typical policy.

Typical wording in a data-destruction policy:
(Taken from Stanford University web site)
http://www.stanford.edu/group/security/securecomputing/data_destruction_guidelines.html

Policies
The following three cases are intended to cover all possible circumstances during which data sanitization is required. In all cases, the device is assumed to contain prohibited or restricted data and is transferred within one of these three scenarios:

Transferred within an Organization
In this case, a computer or PDA is transferred from one person to another who works in the same organization and has the same level of access to prohibited or restricted data information. If the device is transferred to a staff member who has no permission to this prohibited or restricted data, the policy defaults to "Transferred to a Different Organization". As long as the original system owner and the new owner have the same rights to view the prohibited or restricted data stored on the device, there is no need for data sanitization. The system may be transferred without removing any confidential data. However if the recipient has no business need to access the stored prohibited or restricted data, the files containing this data should be sanitized according to the directions in the Sanitization Guidelines section.

Transferred to a Different Organization
When a computer is transferred from one person to another in a different organizational unit, all prohibited or restricted data on the system should be sanitized, unless management representatives from both sides agree the recipient has rights to this prohibited or restricted data. Either the confidential data files or the entire disk should be erased according to directions in the Sanitization Guidelines section.

Device Disposal or Transferred Off Campus
When a computer is to be disposed of or transferred to someone not working for the university, all disks should be sanitized, whether or not they are known to contain any confidential data. No computer system should leave Stanford’s control without all disks being either sanitized or removed. No disks, including flash memory devices, should be disposed of without being sanitized. PDAs (e.g., Palm Pilots, Pocket PC devices) and Smart Phones should have all data removed prior to being transferred to another person or being turned in for recycling.

Problem
The problem with current on-site, data-destruction policies, such as the one outlined above, is that they require data erasure prior to being transferred, either inside or outside of an organization. While this policy sounds logical, it can result in systemic data loss into the public domain. Several of the most often cited causes of data loss during data retirement include:
1. Cannibalization
2. No communication of data destruction policy
3. No adherence to policy
4. No enforcement of policy
5. Negligence on the part of internal or outsourced resources
6. Heavy reliance on non-technical staff

Organizational dynamics contribute to sensitive data loss during IT retirement, especially among large enterprises. Many organizations have decentralized policies, and put the responsibility for data destruction at the department level. Other organizations have a centralized method, aggregating systems to an IT department for data destruction. Problems occur when systems get lost in transit, when non-technical personnel are relied on, and when technical staffs cannibalize quarantined systems. Organizations lose track of data once systems are removed from an electronic tracking mechanism such as a network.

Solution
What is the solution? Networked devices account for the vast majority of systems with hard drives. These systems can be processed on-site and on-network, prior to de-installation. Moving the data-destruction policy upstream and enabling network administrators to erase data prior to network de-installation can eliminate the need for non-technical staff to perform erasure. It can eliminate data loss from cannibalization, lack of policy communication, lack of policy enforcement and general negligence from either internal or outsourced resources. Furthermore, any risk of loss during transportation can be eliminated, with the result being a centralized process with centralized authentication while chain of custody is kept within an organization.

What about encryption? A secure and useful method when sending systems to a third-party for data destruction, however risk of negligence on the part of the provider still remains. On-site and on-network data destruction continue to be a safer method and process.

What about shredding hard drives? Current overwrite technology delivers the same level of data destruction as shredding a hard drive does, but without the effects of destroying a reusable system. Keeping systems out of the waste stream and cost containment are important corporate responsibilities. Shredding a hard drive destines all or at least part of system to the waste stream. If recycled, all of the materials are not completely reused. Some materials must be discarded. If sold without hard drives, systems are typically not re-used in whole. Utilizing overwrite technology, making systems useful to the next person and keeping them out of the waste stream is an optimal solution.

How to Avoid a Data Breach…when retiring IT systems.

Much attention and budgeting is dedicated to Data-in-Motion and Data-at-Rest. Often neglected is a focus on Data-in-Retirement (DIR). For this reason many organizations run a high risk of data loss during the data destruction or IT asset retirement process.

A recent data breach example occurred at the accounting firm of Grant Thornton. Grant Thornton administrators admitted machines containing confidential data were sold to a computer wholesaler without masses of personal data being erased.
(Source: TheInquirer.net)

After 20+ years in the IT asset retirement industry, I can offer five (5) suggestions for avoiding a data breach during the DIR process:

• Avoid removing systems from their network before destroying data. Knowing the status of your asset and what data resides on it is critical. Removing systems from a network means a loss of tracking ability and increases the risk of data loss.
• Avoid cannibalization. Cannibalization typically occurs after systems are removed from their network. Next to sanitizing systems on-network, the next best solution is to quarantine systems in a physically secure area.
• Avoid human error and manual sanitization processes. Utilize software tools to automate the Data-in-Retirement process before systems are removed from their network.
• Avoid breakdowns in data destruction policies and processes. Policy and process breakdowns can occur when managing distributed environments, when relying on non-technical staff, when policies are infrequently communicated. On-network software tools may significantly reduce breakdowns and reduce risk.
• Avoid relinquishing Chain of Custody. Transferring IT assets to a third party can increase the risk of data loss at several points: a.) during transport, b.) during transfer of assets c.) when relying on third party performance.
  

Robert Davie

PC Retirement: How to Safeguard Your Investment

With 20 years experience in the used computer industry, the founder of Venderis Software explains how to minimize financial loss as well as potential data loss when retiring PC systems from service.

Like in today’s volatile financial markets, where concerns over retirement plans and asset value abound, so too abound concerns over the root causes and risks of complex and often costly hardware retirements or refreshes. Core areas of concern include:

1. Risk of data loss
2. HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley compliance
3. Environmentally sound disposal
4. Resale value
5. Retirement costs

Gartner Inc. estimates that the average cost of retiring a PC asset is approximately $130 (source: IT Compliance Institute – IT Recycling: The Next Frontier). Whether handled internally or externally retirement costs can eat up part or all of a system’s resale value. Easily calculated, external costs can be broken down into the following areas:

1. Erasure: $10
2. Audit, tracking, admin: $20
3. Transportation: $10 to $50 or more (If dedicated trucks are used to carry systems directly to a third-party location for processing, transport costs increase dramatically.)
4. Onsite services: $125 to $200/hour
5. Consignment: 15% to 35%

When totaling these costs together rarely do any proceeds from the sale or donation make it back to the seller. Overlooking ways to reduce these expenses, organizations typically use the proceeds to offset retirement costs. However critical the data erasure and environmental concerns may be, risks and costs can be eliminated and three areas should be examined.

First, end-of-life processes can be automated, eliminating an inherently manual method for hardware retirement. Performing simultaneous erasure, audit, diagnostics and tracking processes while IT assets are still attached to their network eliminates manual methodologies. On-network data erasure can not only reduce costs but reduce risk of data loss as well. A recent study by the Ponemon Institute suggests that as much as 70% of data loss comes from off-network devices due to:

1. Cannibalization
2. Theft
3. Negligence
4. No formal retirement policy
5. No enforced or communicated retirement policy

A second solution reducing costs and risks is centralized chain of custody and tracking. A high tendency for employees to cannibalize systems in storage indicates how important it is to develop a hardware retirement policy that ensures chain of custody for each asset from the moment it is removed from service until the moment it is eventually resold or recycled.

Thirdly and most often overlooked is the ability to restore valid operating systems to erased hard drives. A quick search on eBay indicates that restoring the operating system can increase the resale value of an average laptop or desktop by $80.

While Microsoft recently introduced the Microsoft Authorized Refurbisher (MAR) program whereby refurbishers can load a new operating system onto a wiped system, the re-licensing is available only to a limited number of large refurbishers and at an additional cost.

The Microsoft End User License Agreement does permit PC operating systems to be restored to wiped drives and transferred to another user. Though many large organizations are taking advantage of Enterprise License Agreements, these agreements often allow for the transfer of the operating system as well. For example, in the instance of higher-ed institutions, graduating students may take their PCs and operating system licenses with them while the institution retains the same number of Enterprise Licenses. In other instances, organizations under Enterprise Licensing are allowed to resell PCs with the operating system if the fifth year of their operation.

By restoring the operating system the environmental sustainability is increased as the likelihood of reuse increases and systems are kept out of the waste stream for a longer period of time.

On-network data erasure, diagnostics, audit and OS restoration means that hundreds of systems can be processed in a scheduled and controlled manner, reducing retirement costs and increasing resale value while at the same time maintaining chain of custody over sensitive information. Solutions currently exist that can automate one or more or even all of these end-of-life processes.

Robert Davie, founder of Venderis Software and keynote speaker at IAITAM, is an adviser to Fortune 50 companies, universities, resellers and recyclers on end-of-life and retirement solutions.