Your old equipment could be a risk to your company

By
Tim Bullock
May 12, 2010Posted in: CIO, CIO & COO, COO, incidents, legal, regulation, Security, Uncategorized
How does your company dispose of old equipment – do you give your old PCs to staff or charity ? If you do, that’s good for staff morale and the community, but beware of the risks involved.

In 2008, Sharp Copiers commissioned a security survey. They found that 60% of the respondents were unaware that copiers stored electronic images of the copied documents. People were also  not aware of, or not willing to pay for security packages offered by the major copier manufacturers. These encrypt or erase an image from the hard drive.

A recent news story is a scary reminder, after client data was found on a company’s used photocopier in a warehouse of second-hand equipment, when it was returned at the end of its lease.

Remember the saying “one man’s trash is another man’s gold” – just because you can’t access data on a faulty piece of media doesn’t mean someone else can’t.

How do you make sure that your equipment doesn’t contain any valuable company data when it leaves your premises ? Read on ….

 

Should I worry about this ?

In my view, the answer is “Yes!” (you probably guessed that, given I went to the trouble of writing this). If you think I am paranoid, read this news story from April 2010 …. 

A USA New York based organisation, Affinity Health Plan, had to notify 409,000 employees, providers, members and applicants that their personal information may have been breached. This was after CBS news reported that it had found a used photocopier machine in a warehouse that contained Social Security numbers, birth dates and medical info from Affinity Health Plan.  

Affinity Health Plan said that the potential breach was caused by a simple lack of knowledge about the way photocopiers store data. “Like many organizations across the country, we were not aware copy machines contained hard drives that need to be wiped” said Affinity’s senior vice president of Customer & Community Connections, Abbe Abboa-Offei. Their press release can be read here.  

Leaked or stolen data is not only bad for the individuals whose personal information has leaked, it can be expensive for your company in terms of legal fees, claims, settlements etc. Also, it doesn’t help your company to have a story published that suggests you don’t take care of an individual’s personal information.

If you aren’t convinced yet, remember that there are strict industry standards and government regulations in place that force organisations to mitigate aagainst the risk of unauthorised exposure of confidential data, such as Sarbanes-Oxley Act (SOx) and the Payment Card Industry Data Security Standards (PCI DSS). Failure to comply can result in fines and damage to company reputation, as well as civil and criminal liability.

Image of Information Technology Law

What should I do to protect my company ?

You need to take a number of steps ….

  • Firstly, you need a policy covering this subject. Don’t bury it in another policy – this is important and warrants its own document. A policy is not just words in a document, it sets the company standards and allows enforcement of them.
  • Secondly, you need procedures that detail how different types of equipment are made safe when being disposed of.
  • Thirdly, you need to ensure that sub-contractors and suppliers are contractually bound to follow your policies and procedures.
  • Lastly, you need to communicate it. This doesn’t just mean e-mailing a document or posting it onto your Intranet. You must educate your employees, sub-contractors and suppliers about why this is so important.

You need to include any equipment that either contains data or has contained data in the past. This could include the following:

  • Backup tapes, floppy disks (yes, they are still used in some places)
  • DVDs, CDs, BluRay discs
  • USB flash memory keys
  • Any other removable memory, such as flash memory from a PDA, IPod or camera
  • Equipment that contains data or configuration data in its internal memory, such as network equipment.
  • Mobile phones, Blackberry devices, PDAs, IPods and similar devices.
  • Internal hard drives from any device including PCs, servers, printers, photocopiers, fax machines. multi-function devices (MFDs) and network equipment.
  • External hard drives

Remember that if you can’t access the data on a faulty piece of media, someone else may be able to using forensic methods. Therefore, the same rules should apply to media that you deem faulty.

Also, remember not to let a supplier take a disk offsite. For example, if your leased MFD fails, don’t let the engineer take the disk from your site. Don’t let them convince you that their contract gives you protection of the data on the disk. It is your data, not theirs. Any data leakage will be linked by the media to yourself, not a subcontractor.

 

Oh no, not another policy

Make sure your company has a policy for the secure moving of equipment outside of your company. The policy should cover the following:

  • All equipment that has the ability to store data, such as PCs, servers, printers, photocopiers, fax machines, network equipment, mobile phones and PDAs/Blackberrys.
  • Secure disposal of equipment that is end-of-life and will be scrapped or recycled.
  • Safely allowing equipment to be sold or given to staff, charities, schools or other organisations.
  • Removal/exchange of equipment or parts of equipment for servicing – for example the hard disk in a photocopier.
  • Removal/exchange of equipment when at the end of its lease - for example a MFD.
  • The policy should not just cover equipment managed by the IT team, but any other relevant equipment managed by another team in the company or outsourced to a third party.

Image of Information Security Management Principles: An ISEB Certificate

Process needed

Hard disks

  • This includes all hard drives that have been used by your business – whether internal to a PC or server, externally attached or used in a printer, photocopier, fax machine or elsewhere.
  • If the hard disk isn’t too old to be unusable, it is possible to use specialised software to completely remove any data from it. Be carefull, as many products claim to do this but aren’t comprehensive – it will look as if it has worked, but you won’t really know ! Have a look here for details of data erasure standards.
  • Many hard disks that you need to dispose of will be faulty or just too old to be of use. In this case, they should be destroyed even though it may make reuse of the PC uneconomic – i.e., the need to purchase a replacement disk.
  • To destroy a hard disk, it should formatted and then physically destroyed – normally by guillotining it into pieces. Remember that hard drives are almost 100% recycleable.
  • If you outsource the disk destruction, it should be degaussed onsite before transportation. See the section later in this document about degaussing.
  • Keep a log detailing the following:
    • hard disk manufacturer
    • disk capacity
    • serial number (if it has one)
    • business system name it came out of
    • details of the data it contained (for example, ‘file server RAID disk’)
    • date formatted ready for destruction and by whom
    • date degaussed ready for destruction and by whom
    • date destroyed and by whom

Backup media

  • This includes media such as backup tapes, data cartridges, tapes used for voice recordings and even the old-school dictation machine tapes.
  • To destroy this type of media, it should formatted and then physically destroyed – normally by guillotining it into pieces.
  • If you outsource the destruction, it should be degaussed onsite before transportation. See the section later in this document about degaussing.
  • Make sure you remove any identifier that could link it your company, such as labels.
  • Keep a log detailing the following:
    • any reference number previously assigned, such as backup tape number
    • media manufacturer
    • media capacity
    • business system it was used for
    • details of the data it contained (for example, ‘file server month-end backup June 2009′).
    • date formatted ready for destruction and by whom
    • date degaussed ready for destruction and by whom
    • date destroyed and by whom

Removable disks

  • This includes diskettes, DVDs, CDs and BluRay discs.
  • To destroy this type of media, it should be shredded (many office shredders can now cope with disks).
  • Diskettes will need breaking open to take the disk out of the casing before shredding or cutting-up.
  • Keep a log detailing the following:
    • any reference number previously assigned, such as backup tape number
    • media manufacturer
    • media capacity
    • business system it was used for
    • details of the data it contained (for example, ‘client presentation’).
    • date formatted ready for destruction and by whom
    • date degaussed ready for destruction and by whom
    • date destroyed and by whom

Mobile phones, Blackberrys and PDAs

  • Blackberrys – make sure they are initialised using the Blackberry function. If the Blackberry is lost, remember that this can be performed remotely.
  • Mobile phones - make sure they are initialised, either using their reset function or some can be initialised remotely – such as Windows Mobile.
  • Make sure they haven’t got a memory card inside that contains data.
  • Make sure you remove any identifier that could link it your company, such as an asset tag.

Memory resident data in equipment

  • Use the supplier provided reset and initialise functions. For example, make sure you always initialise your network equipment before disposing or selling it. You don’t want the inner secrets of your network topology in the wrong hands.

Disposing of equipment

  • Before you actually dispose of equipment (and that includes sending it back to the leasing company, selling it second-hand or giving it to staff or charity), remove all identifiers that would link it back to your company. This includes branded stickers, asset tags, device name/address and even passwords !
  • Remember that if an opportunist thief sees a number of second-hand devices, he will go for the one that he recognises as having come from a company – don’t let it be yours.

 

Information : What is ‘degaussing’?

Data is stored in media by making very small areas (called magnetic domains) change their magnetic alignment to be in the direction of an applied magnetic field. This phenomenon occurs in the same way as a compass needle points in the direction of the Earth’s magnetic field. Degaussing leaves the domains in random patterns with no preference to orientation, which means that any previous data is destroyed and unrecoverable. There are some domains whose magnetic alignment is not randomized after degaussing – this is called magnetic remanence because it is due to remanent magnetization. Comprehensive degaussing will ensure there is insufficient magnetic remanence to recover and reconstruct the data.

Data can be deleted on magnetic media in one of two ways:

  • AC erasure in which the media is degaussed by applying an alternating field (from AC power) that is reduced from an initial high value.
  • DC erasure in which the media is saturated by applying a unidirectional field (such as DC powered or a permanent magnet).

A degausser is a device that can generate a magnetic field for degaussing magnetic media. The magnetic field is very strong, so be sure you do not have your watch, mobile phone, credit cards and so-on near it.

Image of Introduction to Information Technology Law

And finally ….

If you have read this far, I hope you are convinced you need to securely destroy unwanted equipment that can contain your data. It may seem a lot of work, but most of the effort is getting the policy and processes in place. When that is done, the operational part of this will slip into your business-as-usual function.

Remember ….

  • Just deleting the files on a disk isn’t enough, because only the index to the files is deleted, not the actual data. It is similar to tearing the contents page from a book – the detailed pages are still there, you just need to look harder.
  • Data on a hard drive can still be retrieved even after several reformats by using forensic methods. Just formatting it or reinstalling an operating system isn’t enough – the previous data can still be accessed if the perpetrator is determined.
  • Store all media securely until it is destroyed. It may look like old junk, but it can have valuable information on it.

Please take this subject seriously. It is much easier and less costly to put these steps in place, than to face the repercussions if your data is discovered outside your company.

 


Resources for CIO and COO Professionals

CIOCOO - Resources for CIO and COO Professionals


Remember to bookmark the following ….


For more information, contact E-mail address











For copyright details, refer to http://ciocoo.com/legal/copyright/
For terms of use, refer to http://ciocoo.com/legal/terms-of-use/

© Copyright Tim Bullock 2010


Tags: , ,