[BreachExchange] IAITAM: What Most Companies Consider "Good" Data Wiping Still Leaves Data Breaches A Real Danger

Audrey McNeil audrey at riskbasedsecurity.com
Fri Sep 30 13:37:41 EDT 2016


http://www.prnewswire.com/news-releases/iaitam--what-
most-companies-consider-good-data-wiping-still-leaves-data-
breaches-a-real-danger-300336569.html

Even though there are sound and affordable data security practices for
retiring hard drives containing sensitive information, the "data wiping"
practices of many companies and government agencies are either sloppy or
completely nonexistent, according to the International Association of
Information Technology Asset Managers, Inc. (IAITAM).

IAITAM highlighted three recent cases where the fumbling of hard-drive
retirement created major threats:

The U.S. Dept. of Health and Human Services (HHS) reached a 2013 settlement
with Affinity Health Plan, Inc. in the amount of $1.2 million for federal
health privacy violations after the company returned photocopiers to their
leasing agent before the hard drives were erased.  This oversight caused
the personal health records of 344,579 individuals to be compromised.
Earlier this year, Oklahoma-based Crest Foods had a data breach where
computerized records containing sensitive information about employees
(including Social Security numbers and bank routing information) were found
in a dumpster outside the recycling facility they used as a disposal vendor.
Three years ago, a major New York City bank found that its IT director
diverted used company computers with hard drives intact to her child's
school, rather than going through the required outside data wiping process.

As these examples indicate, it does not require a disgruntled employee or
outright sabotage to result in a real or potential problem due to deficient
data-wiping procedures.

IAITAM CEO Dr. Barbara Rembiesa said: "The golden rule when it comes to
data security when retiring hard drives is 'remove the data, remove the
risk.'  Another more useful way to look at this is that the sooner the data
is removed in the process, the lower your risk.  Retired drives containing
data are an invitation for both intentional and unintentional misuse.  This
problem is magnified if drives are stored in an unsecure location where
large numbers of employees have access.  Even sloppy handling of hard
drives with outside disposal firms can create problems if managed
incorrectly."

What's the best way to proceed?

As IAITAM notes, many companies still perceive that it's difficult,
time-consuming, and costly to wipe data from retired computers, but that's
not the case.  Wiping software is now capable of being initiated remotely
with minimal technician time and effort.  If you're retiring or processing
batches of computers simultaneously, a simple PXE configuration can allow
the processing of hundreds of computers a day with just one technician.
The bottom line is there's no excuse for poor data security when it comes
to your computer and hard drive retirement process.

According to IAITAM, data-wiping practices tend to fall into three
categories:

GOOD: A good process is one in which data on retired drives gets wiped at
some point, even if it's late in the process because most companies rely
exclusively on a "remarketer" or ITAD (IT Asset Disposition) vendor to do
the data sanitization.  By the time the ITAD vendor receives the hardware,
it has often been sitting in storage for months if not years in a
vulnerable state.  This is the absolute tail end of the process.  Most
companies understand the importance of wiping their data and therefore do
meet the "good" requirement.
BETTER:  A better process is one in which data on retired drives gets wiped
at the company where the drive originated or was in use.  Better still is
wiping the drive immediately upon its being retired.  Wiping software is
now capable of remotely initiating a wipe on any computer connected to the
company's network.  In just a few minutes a wipe can be initiated.  The
drive may take a few hours to wipe but no further effort is required by the
technician.  Once the drive is wiped the results can be automatically
logged to a database or sent via email.  The ideal is to wipe drives within
a day or two of it being retired.  Any longer and you create an environment
ripe for accidental misuse or intentional malfeasance.
BEST:  The best process is one in which data on retired drives gets wiped
at the originating company and then is either wiped again or validated
using a third party, such as an ITAD vendor.  In this scenario the drive is
wiped upon being retired.  Because the data is gone, there is little risk
in the drives sitting in storage, even if it's unsecured.  The data is
gone, so the risk is gone.  Then once the drives are sent for final
disposition, the ITAD vendor can either sanitize the drives again or
validate using a random sample that the drives were properly wiped.  This
"best" practice both lowers risk by removing the data early as well as
providing a failsafe to protect against problems and errors.

Rembiesa said: "The good news is that the 'best' level of data-wiping
security is obtainable for most companies and should be the ultimate goal.
Some companies don't store data that is innately sensitive and needs to be
protected and maybe feel comfortable with a lower level of security.  On
the other hand, companies that store financial, health, or personal data
are typically under strict regulation and must be particularly vigilant
about protecting their data.  In these cases, the 'best' level should be a
requirement. Moving from the 'good' to only the 'best' level represents a
substantial increase in security with minimal investment.  Doing so means
your data is at risk for months or years less and really covers a multitude
of sins later in your process."

For more information about best practices, go to
http://itak.iaitam.org/data-wiping-best-practices-good-better-best/.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160930/ed522acb/attachment.html>


More information about the BreachExchange mailing list