What’s the fuss about?

LinkedIn, ‘Facebook for business people’, changed their terms of use to allow them to use your photo and name in third-party advertising.

It’s easy to see why LinkedIn would want to do this, as it appears as if you are endorsing the advert. However, therein lies the problem, as it could appear that you are endorsing the product.

LinkedIn have introduced this feature with the ability for you to switch it off – and that’s what has caused the furore, because the default is for you to be opted-in. There is even a view that LinkedIn may have broken Dutch privacy law and European Data Protection laws by changing these privacy settings.

How do I opt out of this ‘feature’?

1. In your web browser, go to https://www.linkedin.com
2. Log-in using your e-mail address and password.
3. In the top right-hand corner of the screen, move your mouse over your name and ‘Settings’ will appear. Click on ‘Settings’.
4. On the ‘Settings’ page, click on the ‘Account’ tab (near the button left-hand side of the screen).
5. Under the ‘Privacy controls’ heading, click on ‘Manage social advertising”.
6. Un-tick the check-box that says ‘LinkedIn may use my name, photo in social advertising’.

That’s it !

Also read this ….

LinkedIn’s Privacy Slip-up Draws Legal Scrutiny [PCWorld]

Like it or not, FATCA is coming on January 1st 2013. Don’t take the attitude that it’s a long way off – there is potentially a lot of work for some firms to do, so make sure you are prepared and ready.

In case you are wondering what FATCA is, it’s the USA IRS Foreign Account Tax Compliance Act.  If you are a financial services firm and have any dealings with the USA or if you are a US multinational corporation, you need to determine whether you need to become FATCA compliant.

This flowchart should help determine your obligations under FATCA. Click the image to view or download the full size diagram (it is a large file).

Click here also, for useful links regarding FATCA.

As always, this is to the best of my knowledge, so always take professional advice.  Constructive feedback welcome.

It’s a a common occurrence – a server is needed very quickly and a virtualized environment allows for the fast deployment.  In fact, some organisations are decentralising the deployment and management of virtual servers out of the IT function and in some cases to ‘super users’.

Beware – although this may speed-up the deployment of a platform, it will come back and bite you if you don’t manage it effectively.

A virtualized server may not need its own racked hardware, power and cooling, but it needs all the other maintenance, management and TLC that physical servers need.

Deployment

Virtualized servers are much quicker to deploy that a physical, but make sure you have a process that is followed by everyone that is able to do it.  This will ensure standards are kept to such as naming, licensing, anti-virus software and updating of the inventory.

Management and control

Aside from the physical aspects, a virtual server needs just as much management as a physical server. Make sure you maintain an inventory of all virtual servers as you would with all physicals. Perform a regular reconciliation between the inventory and the actual VMs that exist.

Do not allow yourself to get into VM-sprawl, otherwise you will have a headache in trying to get on top of the situation.

Backup

It’s all too easy to roll-out a new VM and forget about backing it up. You may have a replicated SAN for your storage – but replication isn’t a backup. Make sure that arranging backups is part of the deployment process.

Patching, Anti-virus and Protection

Here’s another reason why you need to manage your virtual servers. Don’t create a VM and handover management and control to someone who won’t keep it up to date with software updates (WSUS if Microsoft), anti-virus, application software patches etc.

If you don’t ensure VMs are patched, they will rapidly become a significant gap in your infrastructure security and protection.

Licensing

Don’t get caught out by software licensing. If you are only running open source software you may be covered, but you will find that other licensable product licence terms sometimes don’t fit well with a virtualized world.

Microsoft’s Data Centre licence, although expensive, is a method of ‘buying your way out of a problem’, as it allows you to run multiple instances of their Server operating systems on a virtualized server.  Take specialist licensing advice to ensure you understand how you need to be licence with regard to the number of processors and multiple physical VM hosts.

Don’t forget other software that is installed on the server. Even though a non-IT member may have installed it, you may be responsible for licensing in your firm.

Also, make sure you understand the licensing implications of software on a VM that is copied ‘for testing’ or for ‘safe keeping’. Different software vendors have very different views and many software contracts were written before the days of VMs.

And finally ….

Don’t get me wrong – I am fully supportive of virtualized environments. The message here is to manage them as thoroughly as if they were physicals. A virtual server that isn’t managed properly could become a chink in your security armour or a legal liability if not licensed.

Manage those VMs !

Application-as-a-service (AaaS)

This is typically a specific and often specialised business system that is delivered over the Internet to a user, typically accessing the application through a browser. While many people associate Application-as-a-service with ‘vertical’ enterprise applications such as Salesforce, office automation applications are also Applications-as-a-service, such as Google Docs, Gmail, Google Calendar and Microsoft’s Cloud-based Office365 or Dynamics CRM.

Also read this article.

Data as a service

It could be argued that this service has been with us for some time now – for example Interactive Data’s pricing services.  Data/Information-as-a-service provides data on-demand using well defined interfaces such as an API.

Data-as-a-service is typically provided to a company by an external service provider. However, large corporations can benefit from scales of economy by aggregating data and disseminating it within it’s ‘child’ companies.

There are two types of Data-as-a-Service; private data and public data.

• Private data is typically paid-for access to valuable data that isn’t readily available in the public domain. Examples include live stock price information, address and post code/zip code validation, and credit reporting. This type of service is not new and has been provided for years by companies such as Interactive Data.
• Public data is a newer service and is typically formatted data in the public domain. For example, the Google Public Data Explorer allows you to incorporate demographic data with your company’s sales figures to perform powerful statistical analysis.

Data Centre-as-a-service

Refer to Infrastructure-as-a-service.

Database-as-a-service

This provides the ability to use the services of a remotely hosted database, sharing it with other users, and having it logically function as if the database were local. Different providers have different models, but the advantage of this service is to be able to use database technology that would typically be a significant cost in hardware and software licenses if hosted in-house.

Desktop-as-a-service (DaaS)

Also referred to as ‘virtualized desktops’. A large cost for firms is the purchase, deployment and subsequent management of desktop PC devices – especially in remote offices. Desktop-as-a-service can help alleviate these costs and headaches, by offering a virtualized desktop that runs ‘in the Cloud’.

There are operational considerations, such as the fact that the users need physical devices to access the Cloud-delivered desktop. However, these can be low-cost, low-maintenance locked-down thin clients.

Also read this article.

Governance-as-a-service

Refer to Management-as-a-service.

Hardware-as-a-Service

This term seems to have faded out of use now. It referred to the ability for companies to avoid purchasing hardware when they could ‘rent’ services from cloud platforms such as Amazon’s EC2.

Identity-Management-as-a-service (IMaaS)

This is an area that has the potential to grow significantly. It covers the identification of users and ensuring they receive only the access levels that they should have. That sounds easy, but how do you know that a remote user is really who they say they are?

This service  provides access control and audit capability for multiple SaaS, Public Clouds and Private Clouds, whilst at the same time giving users the benefit of single-sign-on (SSO).

An example of a service in this area is Symplified.

Information-as-a-service

Refer to Data-as-a-service.

Infrastructure-as-a-service (IaaS)

This is also referred to as Data Centre-as-a-service, this is the ability to remotely access computing resources. In essence, you lease a physical server that’s yours to do with as you will, and for all practical purposes it is your data centre, or at least part of a data centre. The difference with this approach versus more mainstream cloud computing is that instead of using an interface and a metered service, you’re getting access to the entire machine and the software on that machine.

In short, it’s less a packaged solution and more akin to ‘traditional’  hosting.

Also read this article.

Management-as-a-service and Governance-as-a-service

This is an on-demand service from a Cloud service provider that allows the management of one or more Cloud services.  Typically, these are simple things such as systems topology, resource utilisation, virtualization management and up-time management.

management/governance systems are now becoming available, such as the ability to enforce defined policies on data and services and report on SLA and service metric compliance.

Platform-as-a-service (PaaS)

This is a complete platform that is delivered through a remotely hosted (Cloud) platform to subscribers. It can include application development, interface development, database development, storage and testing.  It is based on the traditional timesharing model and modern Cloud Platform-as-service providers provide the ability to create enterprise-class applications for use locally or on-demand for a subscription price or free that is typically less than hosting it in-house yourself. An example of this is Microsoft’s Azure platform.

Also read this article.

Process-as-a-service

This refers to a remote resource that can aggregate many resources together, such as services and data, whether hosted within the same cloud computing resource or from separate providers, to create business processes.

You can think of a business process as a Meta application that spans different systems, leveraging key services and information that are combined into the correct business sequence to form a process. These processes are usually easier to change than applications, and thus provide agility to those who use these process engines that are delivered on-demand.

Security-as-a-service

As the incidence of viruses, malware, attacks and email phishing increases day-by-day, the job for the IT team to protect a firm gets more and more complex. Security-as-a-service is starting to become an attractive proposition, as it’s a method of outsourcing a headache for management by experts.

For this to work, all Internet connectivity for the firm needs to be routed through the service provider. Failure to do this could result in an unmanaged ‘unlocked back door’ into your firm.

Examples of Security-as-a-Service providers are McAfee, Zscaler and Symantec’s MessageLabs who have been providing this service for some years.  Click here for a high-level review of service offerings.

Software-as-a-service (SaaS)

Refer to Application-as-a-service.

Also read this article.

Storage-as-a-service

Also known as ‘storage on demand’ or ‘disk space on demand’.

This is the ability to use storage that physically exists at the remote Cloud service provider but logically appears as local storage resource to any application that requires storage. Apple’s MobileMe iDisk service is an example of Storage-as-a-service..

Testing-as-a-service

This is a service that allows the testing of local or Cloud-delivered systems using testing software and services that are remotely hosted by the Cloud services provider. Note that while a Cloud service requires testing itself, Testing-as-a-service services can test other Cloud applications, Web sites and even internal enterprise systems.  They do not require a capital investment  in hardware or software within the enterprise, for something that may only be used for a limited period of time.

What I like about the Kindle

• At 241 grams, the Kindle is lighter than most paperback books. This is really important when travelling with airline weight allowances. Amazon claim that it will store upto 3500 books.
• I get a lot of PDF documents at work – technical datasheets, overviews etc. I can send them to my @free.kindle.com address and then read them on the Kindle. This saves having to print them out to read them later.

Make sure you use the @free.kindle address and not the @kindle one – otherwise you get charged a 3G usage fee. You can always transfer documents direct via USB but they won’t be converted to the Kindle format.

• The built in dictionary is great. Position the cursor at the start of the word and the dictionary tells you the definition of the word. At the touch of a key a more detailed explanation is available.
• If the dictionary isn’t enough information for you, you can search Wikipedia. This is really helpful for research but remember you need an Internet connection for this.
• It has a basic web browser – but you may be charged for 3G traffic. It is slow and clunky but does the job.
• You can have an American female or male voice read text to you. It’s a bit robotic but quite listenable.
• At a cost you can subscribe to newspapers, magazines and blogs. You can read this BLOG on the Kindle – click here !
• You can download free ‘classic’ books from Amazon and other places – and some very low cost ones.
• You can download free sample chapters from Kindle books – some of these have had the info I needed in which saved me buying the book !
• Battery life is very good – Amazon claim a one month battery life if you turn off wireless. I am getting less than a week with wireless switched on.
• The E-Ink screen is very readable. It isn’t backlit, but then neither is a paper book. You will get used to the screen being ‘always on’ – even in screen saver mode. The E-Ink technology only uses power to change the screen image, not to keep it displayed.
• You can annotate books and documents and share the annotations with others.
• The PC/MAC/iPhone/Android versions all synchronise with you Kindle account, meaning you can read your Kindle books on other devices. I can’t read my newspaper subscription on the PC version – only on the Kindle itself.
• It looks smart !

What you need to know

There aren’t any show-stoppers for me. However ….

• The PDF and MS Word to Kindle conversion is a bit iffy – but good enough to read.
• You can download MP3s to it and play them as background music. However, the quality isn’t awesome and you can’t change the tone so it won’t replace an iPod type device.
• You can’t upgrade the memory so more music means less books.
• It doesn’t come with a case. To protect it, I got the Amazon black leather one (without a light). It looks great – and so it should at the cost. The case folds back for one hand holding.
• There’s a slight pause and flicker when turning pages. It doesn’t bother me but other people have moaned about it.
• You can create folders to file your books in, but you can’t have sub-folders. Sounds daft but when you get a lot of books and documents on it and want to create more 9 folders, you can’t see new additions and updates without going to the second page.
• Amazon have released a larger version (9.7″ instead of the 6″) in the USA – have a look at Amazon.com

Summary

If you want a colour device to browse the web, but a tablet device. If you want a small and very portable device to read books and documents then the Kindle is better.

I think the test is if I lost it, would I replace it? The answer is a definite yes!

With the adoption of cloud-based hosting services, it is all-too easy to assume that your service provider is backing-up your systems.     

.     

Surely my Cloud service provider backs-up my data?

Most Cloud service providers backup their systems and your data. However, there are some providers who don’t perform any backups or test their integrity – thankfully these are in the minority now. Even if a Cloud service provider performs backups, they may not be available for you to access.     

As an extreme example, suppose that Microsoft’s Hotmail service suffered a huge failure. You would expect Microsoft to recover it back to a specific point in time. However, suppose that you accidentally deleted all of your inbox – could you call Microsoft and ask them to restore it for you?     

The purpose of this illustration is to show that although providers perform backups, it is likely to be for their own use. If you need to access a backup of your data, you need to separately provision for it.     

Different types of Cloud service providers have different approaches to backups:

.     

Why might you need to access a backup of your system?

Here are some example scenarios:     

• You make a change to your system that causes an issue and you need to roll-back the change.
• A System Administrator accidentally deletes a program or data.
• Malicious code such as a virus of a Trojan infects your system and causes damage.
• A legal or regulatory investigation requires you to recover deleted data or recover your data to a historical position in time.

Some hosting providers will try and tell you that you don’t need backups because your data is replicated to another site. This isn’t a backup! It will provide continuity if the live site fails, but if you accidentally delete data, the ‘accident’ will be replicated to the other site before you can catch it.     

 .     

What options do you have?

Perform backups yourself

Backup your own Cloud data

If the Cloud service is a utility ‘clickwrap’ service which is low cost of even free, you will have little flexibility with backup options. The provider will perform backups for their own use, but you are unlikely to be able to access these.     

The easiest way is to perform regular backups yourself. Using something as basic as a secure FTP tool, will allow you to take copies from the provider to your own local storage.     

• For : For a low cost or free Cloud service, the quickest and easiest method of backing-up your data.
• For : You get peace of mind in having your data on your hardware.
• Against : Data volumes may prohibit this option for corporate use.
• Against : You need infrastructure on your site to securely store the data.
• Against : Depending on your data volumes, this option may require a large amount of Internet bandwidth.
• Against : Having chosen to host your data in a Cloud, it could be seen as an unusual step to backup your data on your own infrastructure.

.     

Backup provided by your Cloud service provider

Backup provided by your Cloud service provider

As Cloud services mature, they are starting to offer backups as part of the service. It is worthwhile looking at this option as it may offer the least hassle.     

Be careful to ensure that the service provider doesn’t host your Cloud service and backups on the same infrastructure, otherwise a fault with it could result in no service and no backup. See this article for suggested due-diligence questions.     

• For : This may be the easiest option, as all the services are from on supplier.
• Against : If the supplier charges by storage capacity, the data volumes and your chosen backup retention could make this an expensive option.
• Against : All your data is held with one provider. There is a potential risk of your provider having a problem, going out of business or deciding they don’t want to host you anymore (yes, this does happen).

.     

Backup provided by another Cloud service provider

Backup provided by another Cloud service provider

This option is well worth considering. You have probably chosen your primary Cloud service provider for their hosting capabilities. If their backup solution doesn’t match your requirements, use a Cloud services provider who specialises in backup services.     

Read this article for more information about Cloud backup services.     

• For : Your data is stored with an alternative provider. This mitigates against the risk of your primary Cloud services provider having a problem, going out of business or deciding they don’t want to host you anymore.
• Against : If the supplier charges by storage capacity, the data volumes and your chosen backup retention could make this an expensive option.

.     

What next?

It’s your data and only you and your organisation know how important your data is and the level of backup required. It’s a question of assessing the risk and putting in place suitable preventative measures.   

It is all too easy to forget about securing your data when it is hosted elsewhere. Unless backups are tested, you will never know if they are working until you urgently need to use them after an incident.   

Backups are a very important insurance – make sure you are properly covered!   

.   

Also read ….

• Cloud services and data jurisdiction
• Cloud backup services
• Cloud backup service provider due-diligence

In 2008, Sharp Copiers commissioned a security survey. They found that 60% of the respondents were unaware that copiers stored electronic images of the copied documents. People were also  not aware of, or not willing to pay for security packages offered by the major copier manufacturers. These encrypt or erase an image from the hard drive.

A recent news story is a scary reminder, after client data was found on a company’s used photocopier in a warehouse of second-hand equipment, when it was returned at the end of its lease.

Remember the saying “one man’s trash is another man’s gold” – just because you can’t access data on a faulty piece of media doesn’t mean someone else can’t.

How do you make sure that your equipment doesn’t contain any valuable company data when it leaves your premises ? Read on ….

Should I worry about this ?

In my view, the answer is “Yes!” (you probably guessed that, given I went to the trouble of writing this). If you think I am paranoid, read this news story from April 2010 …. 

A USA New York based organisation, Affinity Health Plan, had to notify 409,000 employees, providers, members and applicants that their personal information may have been breached. This was after CBS news reported that it had found a used photocopier machine in a warehouse that contained Social Security numbers, birth dates and medical info from Affinity Health Plan.  

Affinity Health Plan said that the potential breach was caused by a simple lack of knowledge about the way photocopiers store data. “Like many organizations across the country, we were not aware copy machines contained hard drives that need to be wiped” said Affinity’s senior vice president of Customer & Community Connections, Abbe Abboa-Offei. Their press release can be read here.  

Leaked or stolen data is not only bad for the individuals whose personal information has leaked, it can be expensive for your company in terms of legal fees, claims, settlements etc. Also, it doesn’t help your company to have a story published that suggests you don’t take care of an individual’s personal information.

If you aren’t convinced yet, remember that there are strict industry standards and government regulations in place that force organisations to mitigate aagainst the risk of unauthorised exposure of confidential data, such as Sarbanes-Oxley Act (SOx) and the Payment Card Industry Data Security Standards (PCI DSS). Failure to comply can result in fines and damage to company reputation, as well as civil and criminal liability.

What should I do to protect my company ?

You need to take a number of steps ….

• Firstly, you need a policy covering this subject. Don’t bury it in another policy – this is important and warrants its own document. A policy is not just words in a document, it sets the company standards and allows enforcement of them.
• Secondly, you need procedures that detail how different types of equipment are made safe when being disposed of.
• Thirdly, you need to ensure that sub-contractors and suppliers are contractually bound to follow your policies and procedures.
• Lastly, you need to communicate it. This doesn’t just mean e-mailing a document or posting it onto your Intranet. You must educate your employees, sub-contractors and suppliers about why this is so important.

You need to include any equipment that either contains data or has contained data in the past. This could include the following:

• Backup tapes, floppy disks (yes, they are still used in some places)
• DVDs, CDs, BluRay discs
• USB flash memory keys
• Any other removable memory, such as flash memory from a PDA, IPod or camera
• Equipment that contains data or configuration data in its internal memory, such as network equipment.
• Mobile phones, Blackberry devices, PDAs, IPods and similar devices.
• Internal hard drives from any device including PCs, servers, printers, photocopiers, fax machines. multi-function devices (MFDs) and network equipment.
• External hard drives

Remember that if you can’t access the data on a faulty piece of media, someone else may be able to using forensic methods. Therefore, the same rules should apply to media that you deem faulty.

Also, remember not to let a supplier take a disk offsite. For example, if your leased MFD fails, don’t let the engineer take the disk from your site. Don’t let them convince you that their contract gives you protection of the data on the disk. It is your data, not theirs. Any data leakage will be linked by the media to yourself, not a subcontractor.

Oh no, not another policy

Make sure your company has a policy for the secure moving of equipment outside of your company. The policy should cover the following:

• All equipment that has the ability to store data, such as PCs, servers, printers, photocopiers, fax machines, network equipment, mobile phones and PDAs/Blackberrys.
• Secure disposal of equipment that is end-of-life and will be scrapped or recycled.
• Safely allowing equipment to be sold or given to staff, charities, schools or other organisations.
• Removal/exchange of equipment or parts of equipment for servicing – for example the hard disk in a photocopier.
• Removal/exchange of equipment when at the end of its lease - for example a MFD.
• The policy should not just cover equipment managed by the IT team, but any other relevant equipment managed by another team in the company or outsourced to a third party.

Process needed

Hard disks

• This includes all hard drives that have been used by your business – whether internal to a PC or server, externally attached or used in a printer, photocopier, fax machine or elsewhere.
• If the hard disk isn’t too old to be unusable, it is possible to use specialised software to completely remove any data from it. Be carefull, as many products claim to do this but aren’t comprehensive – it will look as if it has worked, but you won’t really know ! Have a look here for details of data erasure standards.
• Many hard disks that you need to dispose of will be faulty or just too old to be of use. In this case, they should be destroyed even though it may make reuse of the PC uneconomic – i.e., the need to purchase a replacement disk.
• To destroy a hard disk, it should formatted and then physically destroyed – normally by guillotining it into pieces. Remember that hard drives are almost 100% recycleable.
• If you outsource the disk destruction, it should be degaussed onsite before transportation. See the section later in this document about degaussing.
• Keep a log detailing the following:
  • hard disk manufacturer
  • disk capacity
  • serial number (if it has one)
  • business system name it came out of
  • details of the data it contained (for example, ‘file server RAID disk’)
  • date formatted ready for destruction and by whom
  • date degaussed ready for destruction and by whom
  • date destroyed and by whom

Backup media

• This includes media such as backup tapes, data cartridges, tapes used for voice recordings and even the old-school dictation machine tapes.
• To destroy this type of media, it should formatted and then physically destroyed – normally by guillotining it into pieces.
• If you outsource the destruction, it should be degaussed onsite before transportation. See the section later in this document about degaussing.
• Make sure you remove any identifier that could link it your company, such as labels.
• Keep a log detailing the following:
  • any reference number previously assigned, such as backup tape number
  • media manufacturer
  • media capacity
  • business system it was used for
  • details of the data it contained (for example, ‘file server month-end backup June 2009′).
  • date formatted ready for destruction and by whom
  • date degaussed ready for destruction and by whom
  • date destroyed and by whom

Removable disks

• This includes diskettes, DVDs, CDs and BluRay discs.
• To destroy this type of media, it should be shredded (many office shredders can now cope with disks).
• Diskettes will need breaking open to take the disk out of the casing before shredding or cutting-up.
• Keep a log detailing the following:
  • any reference number previously assigned, such as backup tape number
  • media manufacturer
  • media capacity
  • business system it was used for
  • details of the data it contained (for example, ‘client presentation’).
  • date formatted ready for destruction and by whom
  • date degaussed ready for destruction and by whom
  • date destroyed and by whom

• Blackberrys – make sure they are initialised using the Blackberry function. If the Blackberry is lost, remember that this can be performed remotely.
• Mobile phones - make sure they are initialised, either using their reset function or some can be initialised remotely – such as Windows Mobile.
• Make sure they haven’t got a memory card inside that contains data.
• Make sure you remove any identifier that could link it your company, such as an asset tag.

Memory resident data in equipment

• Use the supplier provided reset and initialise functions. For example, make sure you always initialise your network equipment before disposing or selling it. You don’t want the inner secrets of your network topology in the wrong hands.

Disposing of equipment

• Before you actually dispose of equipment (and that includes sending it back to the leasing company, selling it second-hand or giving it to staff or charity), remove all identifiers that would link it back to your company. This includes branded stickers, asset tags, device name/address and even passwords !
• Remember that if an opportunist thief sees a number of second-hand devices, he will go for the one that he recognises as having come from a company – don’t let it be yours.

Information : What is ‘degaussing’?

Data is stored in media by making very small areas (called magnetic domains) change their magnetic alignment to be in the direction of an applied magnetic field. This phenomenon occurs in the same way as a compass needle points in the direction of the Earth’s magnetic field. Degaussing leaves the domains in random patterns with no preference to orientation, which means that any previous data is destroyed and unrecoverable. There are some domains whose magnetic alignment is not randomized after degaussing – this is called magnetic remanence because it is due to remanent magnetization. Comprehensive degaussing will ensure there is insufficient magnetic remanence to recover and reconstruct the data.

Data can be deleted on magnetic media in one of two ways:

• AC erasure in which the media is degaussed by applying an alternating field (from AC power) that is reduced from an initial high value.
• DC erasure in which the media is saturated by applying a unidirectional field (such as DC powered or a permanent magnet).

A degausser is a device that can generate a magnetic field for degaussing magnetic media. The magnetic field is very strong, so be sure you do not have your watch, mobile phone, credit cards and so-on near it.

And finally ….

If you have read this far, I hope you are convinced you need to securely destroy unwanted equipment that can contain your data. It may seem a lot of work, but most of the effort is getting the policy and processes in place. When that is done, the operational part of this will slip into your business-as-usual function.

Remember ….

• Just deleting the files on a disk isn’t enough, because only the index to the files is deleted, not the actual data. It is similar to tearing the contents page from a book – the detailed pages are still there, you just need to look harder.
• Data on a hard drive can still be retrieved even after several reformats by using forensic methods. Just formatting it or reinstalling an operating system isn’t enough – the previous data can still be accessed if the perpetrator is determined.
• Store all media securely until it is destroyed. It may look like old junk, but it can have valuable information on it.

Please take this subject seriously. It is much easier and less costly to put these steps in place, than to face the repercussions if your data is discovered outside your company.