Keep Sensitive Data from Getting Out: 6 Blind Spots in IT Asset Management
Throughout the lifecycle of managing your IT data assets, from acquisition through disposal, you need a strategy for protecting your data, preventing breaches, responding to audits promptly, and quickly solving problems. Over the last 10 years of working with companies to dramatically improve the security of their IT management process, we’ve found there are six blind spots that most companies have, which leave them open to the risk of a data breach or an audit:
Lack of Process Control – We often here this from clients: “We don’t really know what we own or where to find it or who owns it.” Scary. You can lose control of the process anywhere from the receiving dock when a new product arrives all the way through the decommissioning process. Solid process control is absolutely necessary to ensure that you protect your sensitive information.
Asset Database Management – Many of our clients used an asset management tool, but lacked standard nomenclatures, which makes reconciliation efforts very difficult. By using standards and conventions in database management, you can ensure consistent use of serial numbers, model numbers, brand names, and other information crucial to controlling IT assets throughout their lifecycle and beyond.
Embedded Data – Embedded data is hidden data. For example, it took most people years to realize that their copiers had hard drives that contained some of their most sensitive information. Embedded data is found on phones, switches, faxes, tablets, and the list is growing. Embedded data can remain in the memory after you dispose of it, which can create legal problems for you in the future. You and other IT asset owners (almost everyone!) aren’t the only ones who can’t find or manage embedded data. Even most IT asset disposition vendors don’t know where it is.
Inadequate Chain of Custody Documentation – Can you prove that your IT equipment was properly secured after decommissioning when information was on the equipment, that the data was destroyed, and where it went after you disposed of it? Without strong documentation addressing these questions, you may be unable to prove the chain of custody for your equipment, and that can mean trouble. You maintain liability for the data even after it has left your possession. So you need to have the documentation that will be admissible and effective if you have to go to court.
Insufficient or non-existent indemnification – Companies routinely accept a certificate of insurance and/or a letter of indemnification from their ITAD or ITAM providers without ever seeing a copy of the vendors’ insurance policy or what is really needed for effective indemnification. Because of this most industry indemnification presents a dangerous blind spot. That is – they have insufficient insurance coverage.
Lack of Accelerated Breach Response Capability – When you have a data breach or an audit, you have to act very quickly to limit the damage. Most companies don’t have access to the most critical information that they’re required to produce in an audit or to defend them in court. Many don’t even have a response plan in place.
You can protect yourself from this risk by working with ITAM or ITAD vendor who can guarantee immediate access to all of you crucial asset management data, plus step-by-step action to engage their insurance platform of protection.