5 Steps to Prevent the Loss of to be Disposed of Data Storage Devices
Corporate, Industrial, Legal and Medical
Protecting data is one of the largest budgetary expense items of any organization’s IT department. 99% of this budget is spent protecting online data. Once data storage devices are taken off line and identified for disposal, they become the poor stepchild of your data security budget. With hard drive and solid state storage capacity reaching 30 terabytes (30 trillion bytes of data) the loss of a single data storage device could be catastrophic to an organization.
APPROACH + OBJECTIVE
- Isolate and secure: As soon as a data storage device is removed from the operating environment all data storage media should immediately be removed and secured in such a fashion as to prevent unauthorized removal from the disposal process. It is fundamentally important to minimize this transfer window of time, as the data storage devices disappear from your automated data security process and reappear in your physical security process. This activity may take the form of placing the media in lockable containers and placing the containers in a secure room.
- Validate the media inventory: Establishing an audit trail of the collected media is an important regulatory and legal requirement. When possible, the individual media devices should be matched to your asset management records identifying where the data on the media came from. This data media inventory validation represents the termination of your active data asset records and the beginning of your data disposal/sanitization records. At this point it is recommended that the to be disposed of media be given new inventory labels such as pre-printed bar code labels or RFID tags. This step accomplishes two objectives. A. You and only you, have control of the matching inventory records. No outsider can match any data media to any user in your organization without your cooperation, and B. The new tags allow the disposal inventory audit trail to be automated and remove human transcription errors from the process.
- Destroy the data according to NIST Guidelines: The NIST “Guidelines for Media Sanitization” are precise US Government established guidelines for the destruction of recorded data on all known data media. Federal data privacy regulations require adherence to these guidelines. Adherence to the guidelines removes any possible question as to the adequacy of your sanitization methods. NIST identifies the physical destruction of media by shredding as the best possible method of data sanitization.
- Sanitize your media on a predetermined schedule: Both data privacy regulations and courts of law require that the destruction of data occur according to a written policy and that you have records showing that you “routinely” follow your own policy. Failure to destroy data in a timely manner that you have the legal right to destroy can result in significant costs associated to electronic data discovery litigation issues. Having a predetermined schedule provides a disciplined framework for this essential activity.
- Maintain detailed auditable records of the above steps: Regulatory compliance requires auditable records. The disposal process records should represent a legally valid “chain of possession” of each data storage device from its original inventory validation at your facility through all handling points to its eventual data sanitization and disposal.
Dispose of your sanitized data storage devices in an environmentally compliant and sustainable manner: Hard drives and Solid State storage devices including SSDs, Cell phones, PDAs, USB drives contain electronic circuitry. 25 States currently have identified electronics as a regulated solid waste that must be recycled by a licensed electronic recycling facility. Shredded electronics contain valuable recyclable materials and when properly handled can result in a nearly 100% materials recapture.
We provide regulatory compliant IT disposal services focused on protecting our clients from the unintentional failure to follow State and Federal environmental and data privacy regulations. Our procedures and documentation have been perfected over years of involvement with developing industry standards and regulatory requirements. Our Compliance Library™ is a secure, web-based document archive that provides a comprehensive and easily accessible history of all your organization’s IT disposal activity – a necessary tool for audits and asset management.