Data destruction: proper disposal and privacy protection
For organizations with aging or redundant IT equipment - like governments -- the risk of a security breach is never higher than during disposal. One 60-gigabyte hard drive is equivalent to approximately 17 million pages of written information, easily searchable for a criminal mining for specific data.
With significant amounts of that data containing privacy-related information, the risks are extremely real.
Data storage devices such as computer hard drives, memory sticks, PDAs and BlackBerrys at their end-of-life-cycle should be handled very differently from CPUs, monitors, keyboards and desks - their security requirements are far greater. This may appear self-evident, but in practice it is difficult to find a government request-for-tender that segregates the special handling requirements of such devices.
The RCMP warned all federal departments in October 2007 that standard disk-erasing software (DSX) previously sanctioned by the Force was no longer reliable and should be used "at your own risk" as it could eventually fail to properly function on newer, larger drives. The RCMP's technical security branch found that DSX left traces of sensitive data, a sticky problem known as "data reminisce."
If you consider the risks incurred by a data breach and the relatively low replacement cost of these devices, it is hard not to conclude that their segregation and total destruction by shredding or other means is the only viable option.
As managers contemplate the selection of commercial destruction services, they would be wise to consider the following minimum criteria:
- the security level certification of the facility and its personnel;
- certification in the National Association for Information Destruction;
- controlled goods certification for the handling of controlled items (if applicable);
- environmental protection procedures in the disposal of e-waste;
- company adherence to the Security Evaluation Guidelines in their destruction process;
- security during transport to the destruction facility;
- chain of custody documentation;
- insurance coverage (if the unthinkable happens); and
- certificate of destruction issued complete with serial numbers of the units destroyed.
Changing landscape
There can be no mistaking the backdrop for this issue - privacy. It's a delicate and essential element of Canadian life, and it needs to be protected. Recent technological advancements are making the application of our privacy laws more difficult, increasing the risk of data security breaches and identity theft. continue
1 | 2 | 3 | 4