Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« More Wifi Security At Home Than At Work? | Main | Where And How Do You Dispose Of Your Cell Phones and Paper Documents? »

Where And How Do You Dispose Of Your Computers, CDs, USB Drives, Etc.?

In the past few years I've performed over 100 information security and privacy program reviews for the vendors and business partners of my clients, and I have often found these contracted organizations have lax to non-existent to outragiously irresponsible computer and electronic storage device disposal practices. One of the "information security" policies for one of the vendors actually directed their personnel to try to sell their old computers and storage devices on e-Bay or other online sites in order to recoup some of the costs...this was in their "Information Disposal Security Policy"! It had absolutely no mention of removing the data before trying to sell the devices; the main intent was to recoup as much of the investment as possible.

With this in mind, here's another section from the third article in my June issue of "IT Compliance in Realtime"...

-----------------------------------------

Disposal of Electronic Storage Devices

Many organizations still do not have any procedures in place to dispose of electronic storage devices. During a recent informal survey, I found this to be especially true with small and medium-sized businesses. Considering this, it is no surprise that privacy breaches resulting from information found on the wide range of storage devices, such as USB thumb drives, DVDs, CDs, tapes, and so on, continue to be commonly reported.

In 2006, it was widely reported that Simson Garfinkel, a postdoctoral fellow at Harvard University's Center for Research on Computation and Society, bought more than 1000 hard drives on eBay, looked at the data on them, and found a large amount of PII and sensitive information, such as data from an automated teller machine (ATM), 31,000 credit card numbers from a medical center, a supermarket credit card processor, travel plans, credit card numbers and ticket numbers from a travel agency, consumer credit applications, work histories, and Social Security numbers, just to name a few.

Electronic information can be destroyed in many ways, some more reliable than others. Some of these destruction methods include:

  • Overwriting (also known as wiping)
  • Low-level formatting
  • Physical destruction
  • Degaussing

Sometimes physical destruction of small storage devices is the most efficient, effective, and inexpensive way to irreversibly remove data. However, if you do not want to get out the sledgehammer, want to ensure the data on the storage media is irreversibly removed, and do not plan to re-use the storage media, then degaussing is often considered the best option if it is possible for the storage media you use.

I recently created a degaussing FAQ; see it at http://www.privacyguidance.com/files/informationdisposaldegausserFAQ.pdf.

Effectively and creatively communicate, on an ongoing basis, what the disposal policies, procedures, and corporate-approved tools are for the disposal of electronic storage devices.


-----------------------------------------

Tags:                        
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on June 29, 2008 1:00 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/751

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.