|
Overview of Electronic Media Destruction
|
| Written by Leigh Lanzet |
There was a time when equipment disposition was easy. One would procure bids; the buyers would write a check and the old gear would disappear. Then we were bombarded with everything from environmental issues, which eliminated the “landfill” solution and federal privacy regulations that made a data breach worth millions in fines and remediation costs. With a now heightened awareness of all those compliance issues, well-defined electronic media destruction practices have become an important if not strategic part of managing one’s infrastructure.
Certifiably destroying all data on servers and storage devices is a difficult and failure-prone process, and data centers sometimes rely on procedures that simply do not work. Formatting drives destroys the file system but leaves data easily recoverable. Degaussing with a magnetic field often fails to completely destroy data. And, physical destruction by hammering, drilling or other violent behavior may disable the drive mechanism but does little to actually destroy the data residing on hard drive platters.
What does work if the hard drive is fully functional?
1) Overwriting every sector of the drive with a pattern of obliterating data. The current DOD standard is a 3-pass wipe. However, forensic experts now claim that it takes a minimum of 7 passes to effectively obliterate the data. This takes a good deal of time and power consumption.
2) Verifying the success of that process, then
3) Producing an audit trail that proves the successful sanitization of each hard drive by Hard Drive serial number. A limited number of “data scrubbing” utilities exist that are compatible with all the common drive types in a typical data center environment.
When it is determined that a drive has too many bad sectors or is inoperative (not spinning), that drive must be physically destroyed, and the best method for accomplishing that is shredding.
What a proper shredding process includes -
1) Bar code scanning serial numbers on all media to be destroyed.
2) Shredding the drives with an IP camera situated above the shredding machine to keep a visual record of the customer’s project.
3) Producing a Certificate of Destruction accompanied by a detailed list of all drives destroyed by serial number.
4) Utilizing a downstream partner who is an EPA sanctioned and state licensed recycler who will shepherd the resulting “pulp” through the material recovery process and certify that all material has been handled in a “green” manner. Electronic scrap is regulated in most developed countries as hazardous waste, and it must be responsibly managed.
The final step is to archive the verification and audit data; in the event of a suspected breach, the real value of a good process is its ability to prove the outcome of that process when it matters. In the shredding process, it is advisable to request a visual/video copy of the destruction process to accompany the paper trail created with the Certificate of Destruction. For companies that lease their equipment: the lessor is responsible for proper disposal under environmental regulations, but the lessee remains responsible under privacy laws for data destruction.
The data generated by a good media destruction practice, properly used, is at least half the value of the program. The detailed reporting from the media destruction as well as the recycling process is absolutely essential in addressing the compliance risk. Corporate finance must update fixed asset records for compliance with Sarbanes Oxley and to ensure that property tax assessments are ended; as well as complying with Gramm-Leach and HIPAA issues.
If there is an opportunity to remarket any of the retired equipment, it should be considered at the end of the process; and not the primary focus. In most cases, the value of the information on that equipment far exceeds the residual value of the gear itself.
In summary, the management of a data and storage media destruction process can be challenging and is always expensive. Outsourcing the entire retirement process to a specialist service provider can significantly reduce both costs and risks, and it provides companies a means of transferring some of the associated liabilities to the vendor. When selecting an outsource vendor, companies should evaluate the service provider’s financial strength and insurance coverage, years of operation, technical capabilities, security measures and asset tracking. Because failure of critical procedures such as data destruction can be catastrophically expensive, reviewing the vendor’s operational procedures in detail and evaluating their quality controls is an essential.
Only registered users can write comments.
Please login or register. |
| [ Back ] |
