Angie Singer Keating, CISA, CISM, CIPP, CRISC
For years, some people have had the notion that destruction service providers are little more than glorified trash collectors. I find this notion incredibly insulting, not to mention dangerous. A NAID AAA Certified service provider, be it in paper or digital destruction, provides a client peace of mind that people, processes, and technology are implemented in such a way as to virtually eliminate all human error by the destruction service provider. Organizations believing that their internal processes for destruction of data are superior to outsourcing would do well to study the certification and audit criteria for NAID AAA certification. I put forth the arguable opinion that most would fall woefully short in comparison.
Unfortunately, my work with IT professionals at the highest level tells me that this area is still not getting the executive oversight that it requires. And unfortunately, the secure destruction industry has attracted some unsavory characters eager to make a quick buck. This combination means that many organizations are far more exposed than they realize. While many of us are now aware of the serious problem of discarded electronics being dumped in developing countries, few are aware that this material still has huge demand and is easily sold to domestic brokers who then sell the material to others who dump the material. Your computer recycler may tell you that they only sell or dispose of equipment domestically, but if they can’t prove it with total downstream transparency of every transfer of custody, a ticking time bomb of bad PR might be exploding in the near future when your company’s material turns up in ocean containers bound for China with your company’s asset tags prominently displayed. Any service provider reluctant to give you the name and contact information of their downstream processors should immediately generate a red flag.
Speaking of chain of custody; think your computer recycler has a huge national footprint from which to service your account? You might want to think again. A little Googling of all those facilities would lead you right to the fact that many of the locations are actually subcontracted warehouses. In these warehouses, your material is consolidated and subsequently transported via various trucks to the final destination point hundreds, if not thousands, of miles away. Demand a site visit to the exact location where your material will be first transported from your dock. If it’s not a full-service secure destruction facility, find another service provider. Despite extensive security on the transportation of new electronics, they are the second most stolen freight in the transportation and logistics industries. Is it really reasonable then to expect that every laptop or Smartphone shipped for destruction makes it to the final destination if there is not one single, unbroken chain of custody? While there are very secure logistics methods available, I have found few organizations willing to pay the freight for that type of service on old equipment. And if your service provider uses subcontracted warehouses or transportation companies, that’s fine as long as you are aware, have given consent, and understand that all liability for loss in transit rests solely on you as the shipper of the material.
Finally, review the quality control processes of your secure destruction services vendor. It’s obvious to tell when paper or hard drives are destroyed. How does your service provider perform quality control for sanitized drives or degaussed drives? Degaussing is the application of extremely high magnetic fields to hard drives to render them unrecoverable and physically destroyed. Degaussing should only be done by NSA-approved degaussers, specifically approved for hard drives. Sanitization should include, at a minimum, a 10% sampling of all sanitized drives by a software tool different from the sanitization tool.
These are just 3 areas of high risk in the IT asset management lifecycle. If you are interested in a vendor-neutral checklist of all things to look at when considering a vendor, contact me and I’ll be happy to send one to you. It’s also a great tool to assess any in-house programs you may have in place or are considering. Read Dr. Garfinkel’s work and you will find that sanitization is a highly effective method of destruction. When performed properly, sanitization eliminates the possibility of recovery of meaningful data by any commercially available method. Please spare me any commentary about the effectiveness of sanitization as a tool for effective destruction of data. That verdict was rendered in the last decade and there is no point debating it again. Yes, solid state drives are a game changer, but that’s for a whole other blog post!
It’s certainly true that secure destruction is not rocket science. But one thing it requires is respect. That which we don’t respect is bound to be neglected. Does your organization respect the secure destruction process? Do you have a secure destruction vendor, which is NAID AAA certified and worthy of your respect? If nothing else, the recent mistakes in New Jersey are a wakeup call that it’s time to revisit the simple, yet highly important process in our information security program.
To learn more about data security and vendor due diligence, visit the Data Security Experts at www.reclamere.com.