White Paper: 5 Steps to Preventing the Lost Hard Drives

INDUSTRIES:

Corporate, Industrial, Legal, and Medical

With over 30 years of experience and over 1000 clients in the Northeast, Back Thru The Future® is one of the most capable computer recycling and secure data destruction companies in the country.

CHALLENGE

Protecting online data is one of the largest budgetary expense items of any IT department. Once hard drives are decommissioned and identified for disposal, security concerns are often forgotten. With hard drive and solid state storage capacity reaching 30 terabytes (30 trillion bytes of data) the loss of a single data storage device could be catastrophic to an organization.

APPROACH + OBJECTIVE

1. Isolate and secure:  As soon as a data storage device is removed from the operating environment all data storage media should immediately be removed and secured in such a fashion as to prevent unauthorized removal from the disposal process.  It is fundamentally important to minimize this transfer window of time, as the data storage devices disappear from your automated data security process and reappear in your physical security process. This activity may take the form of placing the media in lockable containers and placing the containers in a secure room.   
   
2. Validate the media inventory:  Establishing an audit trail of the collected media is an important regulatory and legal requirement.  When possible, the individual media devices should be matched to your asset management records identifying where the data on the media came from.  This data media inventory validation represents the termination of your active data asset records and the beginning of your data disposal/sanitization records.  At this point it is recommended that the to be disposed of media be given new inventory labels such as pre-printed bar code labels or RFID tags.  This step accomplishes two objectives.  A. You and only you, have control of the matching inventory records.  No outsider can match any data media to any user in your organization without your cooperation, and B.  The new tags allow the disposal inventory audit trail to be automated and remove human transcription errors from the process.

3. Destroy the data according to NIST Guidelines:  The NIST “Guidelines for Media Sanitization” are precise US Government established guidelines for the destruction of recorded data on all known data media.  Federal data privacy regulations require adherence to these guidelines.  Adherence to the guidelines removes any possible question as to the adequacy of your sanitization methods.  NIST identifies the physical destruction of media by shredding as the best possible method of data sanitization.

4. Sanitize your media on a predetermined schedule:  Both data privacy regulations and courts of law require that the destruction of data occur according to a written policy and that you have records showing that you “routinely” follow your own policy.   Failure to destroy data in a timely manner that you have the legal right to destroy can result in significant costs associated to electronic data discovery litigation issues.  Having a predetermined schedule provides a disciplined framework for this essential activity.

5. Maintain detailed auditable records of the above steps:  Regulatory compliance requires auditable records.  The disposal process records should represent a legally valid “chain of possession” of each data storage device from its original inventory validation at your facility through all handling points to its eventual data sanitization and disposal.