By: George Spafford
August 31, 2006
We put a great deal of effort into buying new devices for users, upgrading their systems, making them mobile, etc. The future of organizations lies in our ability to increase productivity, innovation, agility and so on. As a result, we buy laptops, ultraportables, PDAs, cell phones that offer a wide array of functionality, personal storage devices and so on. We are in such a rush to expand that many groups have not put sufficient thought into their policies for managing the risks associated with decommissioning devices.
Essentially, what we are worried about is data leakage. In other words, the concern is over the uncontrolled transfer of a firm’s data to unauthorized individuals. Notebooks and PCs have data. USB drives have data. Even cell phones have contact lists with newer phones having far more than that including text messages, emails, and files.
Groups need to investigate now to securely remove data from these systems before they move beyond their control. As Oliver North found out in the Iran-Contra affair years ago, using an operating system’s delete command to remove files typically doesn’t destroy the data. In some cases, the file is flagged for deletion yet remains in either a waste bin, system folder, or at least the data remains until the formerly allocated space is re-used.
While we fret over external leakage, even the uncontrolled movement of data within a firm can be detrimental, imagine a person getting access to sensitive data because they received a thumb drive that used to belong to a VP or wage data from a PC that HR used to use. Many groups recognize this and re-image drives or do a secure wipe before re-using equipment.
With that said, it’s the devices that are going to be thrown out, sold, or donated that often don’t have effective controls – especially over the mobile devices, such as PDAs and cell phones. Organizations need to review their risks and determine what policies and procedures are needed to safeguard company information. Part of this must include deciding what is “good enough”. In other words, management teams need to identify reasonable controls that reduce the risks to an acceptable level as the risks are virtually impossible to totally eliminate.
For devices in the data center, policies of securely wiping drives, non-volatile RAM, backup media and so on can be readily developed and enforced. In cases where a device has failed and the data isn’t accessible to wipe, then the storage unit should be physically destroyed in such a means that the data is unrecoverable should it be removed and placed in an operative device. This includes methods such as shredding, puncturing, melting, degaussing and so on.
For mobile devices where the risks merit higher security levels, users need to return the units to a depot, centralized or decentralized, which is tasked with properly decommissioning the device. This serves two purposes – to account for devices as well as to take reasonable safeguards to prevent the loss of data.
One challenge is that there also needs to be policies about the use of non-company storage devices and systems. For every control you put in place there will be weaknesses – “what if they use their own USB drive?” The idea is to put controls in place that are commensurate with the risks. Speaking hypothetically, if an organization is worried about portable devices and external storage then one must wonder if the data should even be allowed outside of controlled facilities.
Systems for donation or resale need to be taken into consideration as well. These devices, whatever they may be, need to have their data removed and presented to the recipient in such a way that not only is the data gone but also that software licensing is taken into account. With MS Windows, most PCs have their certificate of authenticity (COA) adhered to the unit so it typically transfers with the PC. However, productivity packages such as Office, do not automatically change hands. Thus, corporate IT groups need to consider not just the safeguarding of data on systems that they donate but they must also ensure that software licensing for the operating systems and applications are properly handled as well.
On a related note, an increasing number of municipalities have put laws in place regarding the disposal of computer systems due to the huge volume of computer-related equipment going into dumps, known as “e-waste” and also because some of the components are fairly toxic. There is a growing business segment of vendors that specialize in picking up e-waste and ensuring it is securely disposed of. As with any vendor, their controls should be verified prior to contracting with them and routinely audited to verify their compliance with stated policies and procedures.
In closing, organizations need to review their policies and procedures for decommissioning devices that will be donated, sold or discarded. Based on the sensitivity of the data and associated risks, groups should implement controls to safeguard the protection of data and, where appropriate, software licensing. Today, it is far better to prevent incidents than to have the damaged reputation and frenzied scramble to recover afterwards.