Before you can figure out how to handle your data, you must determine which devices and assets within your company contain sensitive data. Broadly, this should include any device with storage media. Consider desktop computers, laptop computers, servers, external hard drives, cell phones, tablets, USB flash drives, and memory cards, CDs, DVDs, Tapes, Disks, etc. Even some networking equipment, copiers, and printers can store information about your company.
Make certain that when a user is switching out and upgrading devices, the old and decommissioned devices are turned over and tracked for data destruction. This is a vital step so any slipped devices don’t make you vulnerable to the violation of security compliance and data breaches.
The sensitivity of the data stored on your devices will determine how they are disposed of. In order to maximize the return on investment, most companies want to reuse or resell their decommissioned devices. This requires that hard drives are sanitized. However, if your information is so sensitive that it must never be leaked or accessed by any person ever again, the devices may need to be physically destroyed. By determining the sensitivity of your data, you can move along with creating a secure in-house procedure.
It is important to keep records of all the devices in service. Unique identifiers should be applied to each device so you can track the assets during their life and decommissioning process. Small devices can easily be misplaced or removed. This process helps ensure that none of them are overlooked. This organization is beneficial when determining which upgrades are needed and what kind of return might be possible from decommissioned items.
The number of people who touch a device throughout its lifecycle drastically impacts the risk of loss, theft, and data leaks. Consider if your employees have been screened. Consider who has access to highly sensitive data and devices. Try at all costs to limit access whenever practical. Store your devices in secure areas that are lockable and are actively monitored. Design check-in and check-out procedures to track device movement. Once an asset is removed from service what happens to it? Sticking it in the hall closet may not be the best policy – especially with sensitive data still on it. Establishing a secure chain of custody of your assets is the most important in-house step to take.
Most companies are not equipped to effectively handle the wiping and destruction of sensitive data. Therefore, you may need to find a service provider to do this for you. Make sure you spend time vetting them. You want to find a company that can provide assurance through documentation of their destruction process. Companies that partner with NAID, follow NIST guidelines and Validate results can offer extra peace of mind.
Create a detailed record of the data destruction process and validated the success of the wipe on your devices. It is important to have this documented trial in order to demonstrate compliance with regulations like HIPPA and PCI should you ever be audited. This systematic and documented approach also helps you to verify that all your assets have made it through the data destruction process. If you hire a company to provide your data destruction services, they should be able to provide you with documentation.
It was a success; the process helped you create secure in-house processes for data destruction. Now, what do you do with sanitized devices if you did have to physically destroy them? Most assets still have use and recoverable value. Contact e360 Technologies, a Clarabyte partner, to help you resell your devices for maximum value.