TechJournal South
Header

Improper Data Erasure Poses Serious Business Risks

October 29th, 2007

By Steve Hyser, Canvas Systems

Businesses discard millions of computer hard drives each year. Beyond the inconvenience and embarrassment of proprietary data getting into the wrong hands, there are many more serious repercussions. Organizations are sometimes exposed to damaging legal, financial and public relations-risks for failing to effectively erase business data before sale or disposal.

Enterprises have traditionally approached data erasure from a tactical, ad-hoc perspective. Unfortunately, the complex issues associated with data erasure require a more strategic approach.

Erasure approaches

Physical destruction of the hard drive can be effective, but precludes recovery of residual value. And because of the cost required, destruction is typically outsourced, thereby increasing the possibility of exposure of confidential data. If performed incorrectly, data can still be recovered from the remaining fragments of the storage media.

Degaussing a hard drive uses strong electromagnetic fields, ideally destroying all the magnetically recorded data on the drive. But newer drives with thicker shielding require a stronger electromagnetic field.

Reformatting as a data erasure method is highly ineffective. All “Delete” and “Format” commands only change the drive’s File Allocation Table and do not actually erase any data.

Software solutions that overwrite data on top of existing information offer the most effective and convenient way of permanently destroying data. Once the device has been erased, it can be reused or resold, preserving the functional and remarketing value of the asset. In some cases, the tool can be deployed over a network to target specific computers or drives. It can also produce reports verifying proper completion.

Setting an erasure policy

In formulating a corporate-wide data erasure policy, the following seven steps are important:

  • 1. Determine the most feasible solution. Each company’s data erasure policy should be based on several business factors, such as the size of the organization, the frequency of data erasure and disposal, and specific industry requirements.
  • 2. Calculate costs and formulate a budget. By deploying an effective data erasure strategy, an enterprise can often recoup the remaining value on equipment by reselling it within two to three years after acquisition.
  • 3. Assign roles and responsibilities. Where will the ultimate data erasure decision lie? The decision-maker should be the individual most impacted if something goes wrong.
  • 4. Pick the disposal location. The facility where data erasure is performed can impact both the quality and security of the erasure process. For example, on-site data erasure provides the most secure option by ensuring that sensitive data doesn’t leave the enterprise. Using a third-party facility to perform the data erasure adds steps to the process, which require verifiable facility security and documentation. Important questions to ask include: Does the location provide a Statement of Work (SOW) detailing the steps in their erasure procedures? Can they provide certificates for regulatory compliance reporting? Have they installed security cameras for surveillance in designated work areas? Do they use sealed and secure containers to prevent unauthorized access during shipping?
  • 5. Choose a qualified service provider. The provider must be insured (a minimum of $1 million), have certified engineers, provide certificates that include serial numbers and generate erasure reports. Make sure they provide alternatives for both software-based erasure and data destruction with an ability to combine solutions to keep operating costs low. And check their references.
  • 6. Plan desktop/data center device management. Data Center equipment is deployed, run, and managed differently from desktop PCs and notebooks. As a result, the process of removing storage devices from equipment such as a network server to replace the storage media designated for erasure can impact essential business functions. The sheer volume of this task may make it more cost-effective to bring in experts rather than risk disruption of crucial business functions.
  • 7. Research regulatory and reporting requirements. Any public or private company in a regulated industry that handles sensitive information must understand the necessity of generating an audit trail. Reports should include lists of the disposed or erased items, their serial numbers, how the data was erased or the asset was destroyed, and the disposal procedures.

Protect yourself

The rapid rise in corporate information theft and fraud has made the issue of data erasure and IT asset disposal as important to an enterprise as the integrity of their corporate networks. An organization that fails to properly secure its business information when assets leave the premises risks severe penalties on a variety of legal, financial, and marketing-related fronts.

A sound and well-planned end-of-life IT asset and data policy should be an essential component of every organization’s corporate information strategy.

For more information and to download our complete whitepaper, “Protecting Your Enterprise With An Effective Data Erasure Strategy,” see:
www.canvassystems.com/dataerasure

 

Southeast Venture Conference, February 29 – March 1, 2012 at the Ritz Carlton in Tysons Corner, VA – Where Smart Money Meets Smart People.
www.seventure.org

© 2007, TechJournal South. All rights reserved.

Comments are closed.