February 2013

Data Security

Data Security: From Beginning to End

By: Nick Bagnell, Dynamic Recycling

We have all read about the recent data breaches caused by something as simple as a person breaking into a car and stealing a data sensitive device.  Who would have thought that thousands of people’s identities could be at risk from one laptop being stolen from a locked car?  You’re probably thinking, “Why would a corporation allow an employee to take that much secure data off site?”  Are corporations doing their due diligence to ensure privacy for their employees and customers?  What guidelines should be implemented to ensure a corporation’s data is secure; within the office, out of the office, and after the corporation’s electronic devices are retired?

There are a number of ways that an organization can ensure full data security during the life cycle of a computer.

In the office:

  • Contract with a trusted vendor who provides compliant data security solutions.
  • Ensure all employees of the organization are trustworthy. (Background Checks, Employment Verification, System Permissions.).
  • Monitoring system in place to supervise employee activity.
  • Make sure your facility is fully secure, through implementation of such things as keycard entry to data sensitive areas, surveillance cameras, and visitor logs.

Out of the office:

  • Do not let employees leave the facility with computers that hold secure data – Inevitable
  • Any company network that is accessible from offsite should be protected (VPN)
  • Secure data should only be allowed to be accessed on-site.

After the computer is retired:

  • Contract with a trusted vendor who provides services for proper data destruction.
    • Verify that they maintain appropriate certifications
  • Verify their facility security and employee background check policies.
  • Verify their transportation process (3rd Party, Contracted, Self-Maintained)
  • Most importantly verify their standards/processes for data destruction and options in providing physical destruction or sanitization of data sensitive devices.

In today’s world you would think that most organizations would have the above processes in place.  The fact is that many maintain standards which satisfy one or two of these areas, but when their units are ready to be recycled or retired; they have them processed without doing much research on the vendor’s processes, standards, facility, and certifications.  What happens to all of the secure data remaining on these devices when they are sent to a vendor for further disposal?  There are plenty of recyclers that possess proper procedures to ensure total data destruction, but there are also and an equal amount who do not.  Given this percentage, I would do the appropriate research and auditing to avoid the risk of a data breach.

At this point you are probably wondering how to qualify a trusted electronic recycling vendor?  How can your organization be sure they are working with an ethical recycler that truly cares about your data security and has implemented the appropriate processes to ensure you that all of your data is destroyed?  A few things to verify with your vendor prior to utilizing their services:

  • NAID Certification: (National Association for Information Destruction) NAID® is the international trade association for companies providing information destruction services.  Hundreds of state and federal government agencies recognize it, including a growing number outside the U.S., and tens of thousands of private organizations now require it of their service providers.
  • R2 Certification: The R2 Standard sets forth requirements relating to environmental, health, safety, and security aspects of electronics recycling.  According to a recent survey conducted by Converge, IT managers at mid- to large-size companies cite data breach from discarded computers as the number one concern when disposing of IT equipment.  The R2 Standard addresses all of these areas of concern, so you can be sure that your IT equipment is managed according to the highest industry standards while meeting your organizational goals and needs. Every certified R2 recycler has been rigorously audited by an independent third party auditor that evaluates each recycler in more than 50 areas of operational and environmental performance.
  • ISO Certifications: ISO International Standards ensure that products and services are safe, reliable and of good quality. For business, they are strategic tools that reduce costs by minimizing waste and errors and increasing productivity.  Our standards are developed by the people that need them, through a consensus process. Experts from all over the world develop the standards that are required by their sector. This means they reflect a wealth of international experience and knowledge.

These certifications will allows you to be rest assured, that your data is being processed and destroyed properly and with the highest degree of ethical standards.  If your data is considered to be highly confidential that it is not be permitted to leave your facilities, than you may want to ask your recycler if they perform on-site data shredding.  This operation will shred your hard drives and any other data sensitive device into millimeter size pieces.  At that point it would be absolutely impossible for any data to be compromised.  The only downside to that operation is that your computer will not have as much value if it were to qualify for further reuse through IT Asset Management.  If your organization’s data can leave the premises via a trusted recycler, they can then perform data wiping that will ensure proper destruction of data at their facility.

IT asset management (ITAM) is the set of business practices that join financial, contractual and inventory functions to support life cycle management and strategic decision making for the IT environment. Assets include all elements of software and hardware that are found in the business environment.  This allows an organization to maximize the revenue potential of outdated working computers.  Giving corporations a return on their IT investments.

In conclusion, choosing a trusted recycler can be critical to your data security.  There are many of recyclers that will tell you they are ethical and that you can trust your data with them, but what are they doing to prove they can be trusted. Furthermore, have you done your due diligence in auditing your vendors to ensure you can trust your vendor?