How to Avoid a Data Breach…when retiring IT systems.

Much attention and budgeting is dedicated to Data-in-Motion and Data-at-Rest. Often neglected is a focus on Data-in-Retirement (DIR). For this reason many organizations run a high risk of data loss during the data destruction or IT asset retirement process.

A recent data breach example occurred at the accounting firm of Grant Thornton. Grant Thornton administrators admitted machines containing confidential data were sold to a computer wholesaler without masses of personal data being erased.
(Source: TheInquirer.net)

After 20+ years in the IT asset retirement industry, I can offer five (5) suggestions for avoiding a data breach during the DIR process:

• Avoid removing systems from their network before destroying data. Knowing the status of your asset and what data resides on it is critical. Removing systems from a network means a loss of tracking ability and increases the risk of data loss.
• Avoid cannibalization. Cannibalization typically occurs after systems are removed from their network. Next to sanitizing systems on-network, the next best solution is to quarantine systems in a physically secure area.
• Avoid human error and manual sanitization processes. Utilize software tools to automate the Data-in-Retirement process before systems are removed from their network.
• Avoid breakdowns in data destruction policies and processes. Policy and process breakdowns can occur when managing distributed environments, when relying on non-technical staff, when policies are infrequently communicated. On-network software tools may significantly reduce breakdowns and reduce risk.
• Avoid relinquishing Chain of Custody. Transferring IT assets to a third party can increase the risk of data loss at several points: a.) during transport, b.) during transfer of assets c.) when relying on third party performance.
  

Robert Davie