However, companies are often in such a rush to expand that they don’t put sufficient thought into their policies for managing the risks associated with decommissioning such devices.
This creates a problem with data leakage. The uncontrolled transfer of a firm’s data to unauthorized individuals presents a major enterprise security hole. Notebooks and PCs have data. USB drives have data. Even cell phones have contact lists, with newer phones storing text messages, emails, and proprietary files.
Groups need to investigate how to securely remove data from these systems before these units move beyond their control. As Oliver North found out in the Iran-Contra affair years ago, using an operating system’s delete command to remove files typically doesn’t destroy all the data. In some cases, the file is flagged for deletion yet remains in either a waste bin or system folder. The data can remain until the formerly allocated space is re-used.
The Ghost in the Machine
While we fret over external leakage, even the uncontrolled movement of data within a firm can be detrimental. Imagine a person getting access to sensitive data because they receive a thumb drive that used to belong to a VP, or salary data from a PC that HR used to use. Many groups recognize this and re-image drives, or do a secure wipe before re-using equipment.
Often, it’s the devices that are going to be thrown out, sold, or donated that don’t have effective controls – especially the mobile devices, such as PDAs and cell phones. Organizations should review risks and determine what policies and procedures they need to safeguard company information.
Part of this must include deciding what is “good enough.” In other words, management teams need to identify reasonable controls that reduce the risks to an acceptable level, as the risks are virtually impossible to totally eliminate.
For devices in the data center, companies can readily develop and enforce policies for securely wiping drives, non-volatile RAM, backup media, and other units. In cases where a device has failed and the data isn’t accessible to wipe, the storage unit should be physically destroyed so that the data is unrecoverable should the unit be removed and placed in an operative device. This includes methods such as shredding, puncturing, melting, degaussing and so on.
For mobile devices where the risks merit higher security levels, users need to return the units to a depot, centralized or decentralized, which is tasked with properly decommissioning the device. This serves two purposes: to account for devices as well as to take reasonable safeguards to prevent the loss of data.
Next page: Should This Data be Traveling?
Also important is the need for policies governing the use of non-company storage devices and systems. For every control you put in place there will be weaknesses – “what if they use their own USB drive?” The idea is to put controls in place that are commensurate with the risks. Hypothetically, if an organization is worried about portable devices and external storage then one must wonder if the data should even be allowed outside of controlled facilities.
Units slated for donation or resale need to be taken into consideration as well. For these devices, not only must their data be removed, but the software licensing must also be taken into account. With MS Windows, most PCs have their certificate of authenticity (COA) displayed on the unit so it typically transfers with the PC. However, productivity packages such as Office do not automatically change hands.
On a related note, an increasing number of municipalities have put laws in place regarding the disposal of computer systems due to the huge volume of computer-related equipment going into dumps, known as “e-waste.” Some of these components are fairly toxic.
There is a growing business segment of vendors that specialize in picking up e-waste and ensuring that it’s securely disposed of. As with any vendor, their controls should be verified prior to contracting with them and routinely audited to verify their compliance with stated policies and procedures.
The time and effort that companies spend reviewing their policies for decommissioning devices to be donated, sold or discarded is time well spent. It is far better to prevent incidents than to be forced into a frenzied scramble to recover afterwards.