Whether you are relocating, refreshing your IT estate or heading to the cloud – you will undoubtedly generate redundant IT hardware and as a result will need to ensure that you erase any residing data on that equipment. When choosing to trust a new partner to manage your IT asset disposal and confidential data, you can often face a dilemma. How do you know you’re making the right choice? What criteria, industry guidance or performance measures do you work from, to ensure your decision is solid?
Disposing of devices properly
You should ensure when choosing an ITAD (IT Asset Disposal) partner that they provide you with comprehensive audit trails, to ensure you know where your hardware is at all times and its final destination, i.e., whether equipment is resold, reused or recycled. Regardless of the route your hardware takes, you must consider your options for ensuring that you securely erase any data you store on hardware.
There are three main methods that you can consider and in some cases, a combination of these methods may be necessary to achieve the result you require. This is dependent on your own internal policies as well as the type of media you have to dispose of.
Options for secure data removal include:
Data wiping/overwriting – This is the most popular method of data erasure, as it allows for the resale/reuse of devices whilst ensuring the safe removal of all data. There are many software data erasure solutions on the market that allow for complete data removal and a report to prove that it has been erased properly. You should look to ensure that any process for wiping or overwriting data complies with NCSC (previously CESG) standards. You should also ensure you ask your provider what will happen to any drives that cannot be wiped using software – will these be physically destroyed? What about solid state or hybrid drives – how does your chosen provider handle these technologies?
Degaussing – using a device that produces a strong electromagnetic field to destroy all magnetically recorded data, leaving the domains on hard drives in random patterns with no preference to orientation, thereby rendering previous data unrecoverable. When choosing a Degausser you should also ensure that it has been approved by NCSC, as this ensures it is has been independently tested and verified.
Shredding – Unlike the demagnetisation of magnetic devices, shredders for hard drives, SSDs, mini-tablets, and mobile devices guarantee the physical destruction of the devices. There is a range of shredders available dependent on your organisation’s need; each offers the secure protection of your business’s critical information.
Implications of improper sanitisation
The business implications of a data breach are very significant. Not only would it damage your company’s reputation if customer information is released via a breach, but if your company’s Intellectual Property is accessed, stolen or shared with the public, your company may lose its competitive edge.
From a legal perspective, if media containing confidential customer or employee information is accessed, the company could also breach General Data Protection Regulation (GDPR), leading to a substantial fine from the ICO – up to €20 million or 4% of global revenue.
The value of data is making every business, and individual, a potential target of cybercrime. Organisations therefore need to take every possible step to minimise their risk of compromise and understand the legislative requirements. For example, an organisation that handles personal information about individuals has obligations to protect that information under the GDPR and public authorities have a legal obligation to make official information available under the Freedom of Information Act. Under the GDPR legislation, organisations must also seek permission from individuals to collect information, inform them how that information will be used and ensure it is erased securely after a set timeframe.
A data erasure specialist at Ontrack advises:
“Organisations should take the same level of care with disposing of data and devices as they do an active IT environment. It is imperative to understand the entire lifecycle of your data and IT assets, ensuring that any gaps in the process are addressed. Organisations should regularly revisit their data transfer, retention and erasure methods ensuring that they have an accurate file catalogue. Organisations should also ensure that third party providers confirm that they remain compliant.”
Audit trails and accreditations
When you look to secure a provider to deal with data you should ensure they can provide you with a full audit trail so you can be assured you know where your equipment (and data) is at all times. What proof of data erasure or destruction will they provide? It’s worth finding out if they utilise NCSC approved software for data erasure and if you have requested physical destruction via shredding, will they issue you with certificates of destruction?
Ensuring your provider has a proven track record within the industry is also vital. Find out what accreditations they hold and what standards and regulation do they adhere to. As a rule, any ITAD partner you choose should be compliant with the EU Regulation on Waste for Electrical and Electronic Equipment (WEEE) and should hold a waste carriers licence. They may also be an Approved Authorised Treatment Facility (AATF).
Key questions surrounding their environmental policy and downstream processes should be considered. For example, do they adhere to any environmental standards – i.e., ISO 14001? What percentage of equipment they collect is re-used, re-sold or refined and what is their landfill policy?
Another ISO standard that serves as a solid indicator of a reputable provider is ISO 27001, which demonstrates, amongst other areas, that they have systems in place for the secure disposal of redundant IT equipment and secure destruction of all confidential data.
Adhering to specific industry standards such as being a member of ADISA is also important. ADISA (The Asset Disposal and Information Security Alliance) is an organisation that recommends standards for safely disposing of IT equipment, while minimising the risk of exposure and misuse of any sensitive data stored on that equipment. The ADISA audit process is multi-layered and includes full audits, unannounced operational audits and forensic audits. This ensures that ADISA certified companies are constantly checked against this industry specific standard.
Know where your data is, and who has it
What guarantees does your chosen provider give when equipment containing data is in transit? If they utilise any third party suppliers in their supply chain, what assurances do you have regarding a solid chain of custody route for your equipment? For example, you should ensure that any vehicle used in the process has GPS tracking enabled.
You should also be asking questions about their staff, particularly if they utilise any third party or temporary staff members. Find out if their employees have been vetted with the relevant background and security checks, taking note of how recently these checks were completed.
By asking these questions, you should be best placed to choose an ITAD that can provide the highest level of security and compliance. If your data ends up in the wrong hands it could spell disaster for your organisation, therefore make sure any provider you choose has been thoroughly assessed beforehand.
This was a guest article by Laura Cooper at EOL IT Services.
How do you dispose of your IT assets? How do you guarantee that your data is completely destroyed? Let us know by tweeting @OntrackUKIE