The things to consider
Whether you are relocating, refreshing your IT estate or heading to the cloud – you will undoubtedly generate redundant IT hardware and as a result will need to ensure any residing data on that equipment is adequately erased.
When choosing to trust a new partner to manage your IT Assets and Confidential Data, you face a dilemma. How do you know you’re making the right decision? What criteria, industry guidance or performance measures do you work from, to ensure your decision is solid?
When you refresh hardware you should know how to dispose of all devices properly
You should ensure when choosing an ITAD (IT Asset Disposal) partner that they provide you with comprehensive audit trails, to ensure you know where your hardware is at all times and its final destination – i.e., whether equipment is resold, re-used or recycled – but, regardless of the route your hardware takes, you must consider your options for ensuring secure data eradication.
There are four methods that can be considered and in some cases, a combination of these methods may be necessary to achieve the result you require. This is dependent on your own internal policy as well as the type of media you have to dispose of.
Options for data eradication include:
Data Wiping/Overwriting – the most popular choice of Data Erasure/Wiping of data from any data bearing asset, including Mobile Phones, is Blancco. Blancco erasure solutions are the most respected and widely used product worldwide but there are other software erasure solutions on the market. You should look to ensure that any process for wiping/overwriting data is completed in line with NCSC (previously CESG) standards. You should ensure you ask your provider what will happen to any drives that fail to wipe – will these be physically destroyed? What about solid state or hybrid drives also – will these take a different route?
Data Degaussing – using a machine that produces a strong electromagnetic field to destroy all magnetically recorded data, leaving the domains on hard drives and floppy discs in random patterns with no preference to orientation, thereby rendering previous data unrecoverable.
Data Shredding – The mechanical process to crush, chop, then shred into smaller pieces, is a standard process. The size of the shredded material is usually 25mm down to 6mm. This fragmented material is then sent on to refining partners who will continue the refining process. What record of items shredded will you receive? What destruction certificates are included for your own internal auditing records?
Data Granulation – This is the action of extracting and destroying data from an information system in the form of drives and other such media by cutting (or shredding) it down to 6mm or smaller, granules.
Other considerations will focus on whether you require your data to be disposed of on-premise or off-site at your providers’ facility. What capabilities does your ITAD provider have to offer?
What are the implications of improper sanitisation?
The business implications of a data breach are very significant. Not only would it damage your company’s reputation if customer information is released via a breach, but if your Company’s Intellectual Property is accessed, stolen or shared with the public, your Company may lose its competitive edge.
From a legal perspective, if data bearing media containing confidential customer or employee information is accessed, the company could also breach the Data Protection Act (DPA), leading to a substantial fine from the ICO – up to £500,000. Looking ahead, when the EU’s new General Data Protection Regulation (GDPR) comes into force next year, companies must inform affected parties and the ICO within 72 hours of a breach and will face fines of up to €20 million or 4% of global revenue.
The value of data is making every business, and individual, a potential target of cyber crime – and organisations need to take every possible step to minimise their risk of compromise. Clearly it is essential to understand the legislative requirements. For example, an organisation that handles personal information about individuals has obligations to protect that information under the DPA and public authorities have a legal obligation to make official information available under the Freedom of Information Act. Under the forthcoming GDPR, organisations must also seek permission from individuals to collect information, inform them how that information will be used and ensure it is erased securely after a set timeframe.
Make sure that you have a provider in place who can provide you with certificates of erasure and recycle devices securely
When you look to secure a provider to deal with data you should ensure they can provide you with a full audit trail so you can be assured you know where your equipment (and data) is at all times. What proof of data erasure/destruction will they provide? Will they ensure they utilise NCSC (previously CESG) approved software for data erasure for example and if you have requested physical destruction via shredding, will they issue you with certificates of destruction?
Make sure your chosen provider has a track record in data security/has the necessary accreditations
Ensuring your provider has a proven track record within the industry is key. What accreditations do they hold and what standards and regulation do they adhere to?
Any ITAD partner you choose should be compliant with the EU Regulation on Waste for Electrical and Electronic Equipment (WEEE) and should hold a waste carriers licence. They may also be an Approved Authorised Treatment Facility (AATF).
Key questions surrounding their Environmental Policy and downstream processes should be considered. For example – what is their environmental policy? Do they adhere to any environmental standards – i.e., ISO 14001? What percentage of equipment they collect is re-used, re-sold or refined? What is their landfill policy?
There is more to ask
Other ISO standards to be considered as key indicators of a solid choice in your provider are ISO 27001 which demonstrates that they have systems in place for the secure disposal of redundant IT equipment and secure destruction of all confidential data.
What guarantees do they provide when equipment containing data is in transit? Does your provider utilise any third party suppliers, for example, for their logistics – if so, what assurances do you have regarding a solid chain of custody route for your equipment? Are their vehicles GPS tracked for example?
What about their staff? Do they utilise any third party or temporary staff members? Are their staff vetted with the relevant background and security checks? Are their staff security cleared?
Specific industry standards such as being a member of ADISA are also vital. ADISA (The Asset Disposal and Information Security Alliance) is an organization that recommends standards for safely disposing of information technology (IT) equipment while minimizing the risk of exposure and misuse of any sensitive data stored on that equipment. The ADISA audit process is multi-layered including full audits, unannounced operational audits and forensic audits and ensures that ADISA certified companies are constantly checked against this industry specific standard.
Contact us TODAY on 0845 600 4696.