Six Tips to Protecting Your Off-Network Devices
In the past 13 years of handling data security for some of the most risk averse companies in the country, we have found a few common areas that offer a high return on security when they are addressed.
Our goal here is first to prevent unauthorized access to sensitive data, and, secondly, to create a trail of Audit Ready Documentation that validates compliance with data security and environmental laws.
This means that internally you need to have written processes that are monitored with a QA program and a secure asset disposition vendor that gets it when it comes to data security.
Some factors to keep in mind as you develop your process are:
Are off-network devices containing sensitive information stored in the same area as new equipment, or maybe in a closet for convenience, potentially exposing them to a larger user community and increasing the possibility of theft or inappropriate access to the, as yet, un-scrubbed confidential data? Are there controls in place to restrict access to the equipment and log who has accessed the equipment?
As a foundation of all that follows we recommend inventorying incoming equipment with the use of a database that references an industry standard nomenclature and adheres to that standard. This will save countless hours if reconciliation is required in the future as well as provide evidence of having performed due diligence if a breach occurs.
When decommissioning assets, best practices include placing them in a quarantined room with restricted and monitored access. If you are not destroying sensitive information on site, a full audit of your disposition provider is highly recommended.
If you are destroying sensitive information internally, many times data is hidden in components other than hard drives or sometimes the hard drives are difficult to find. For the highest levels of security, where sensitive information cannot leave the premises, the room should be equipped with all tools necessary to identify where data resides and destroy the data. This includes a searchable database that can be accessed by on-site personnel to locate and destroy sensitive information. QA programs must be in place regardless of where the data is destroyed to ensure the quality of the work performed.
If sending decommissioned assets to an asset disposition provider, take the time to have an accurate inventory of what is leaving your building and reconcile that with the reports they produce. Do not provide the list of equipment to the asset disposition provider in advance. Have a process in place to address discrepancies.
Documentation is used to prove compliance from an environmental and data security perspective. The quality of your documentation and your ability to produce it in a timely manner will greatly impact the outcome of an audit if something were to go wrong.
Best practices include an auditable chain of custody that proves possession two levels downstream from your facility. Quality reports for each lot as well as proof of data destruction in a verifiable electronic format are recommended. An example of proof of network equipment sanitization would be hyper-terminal print screen shots. Video monitoring of shredding may be recommended for your industry.
Plan for the worst:
Have a response plan in place for what will happen if something goes wrong. Find out what you’ll need to do, who will need to be notified, what documentation you will need, what your vendor will do to support you, and what your insurance covers as well as where it falls short.
Many times asset disposition provider insurance is insufficient to protect you or it protects them and leaves you vulnerable. Review the insurance your Asset Disposition provider carries, understand what is covered, what is not, and who is covered. A good policy will cover cyber liability, victim notification and credit monitoring, and unlimited attorney fees, to name a few.
You can read more about this topic by downloading our full Legal & Security Risks in Management and Disposal of Off-Network Technology whitepaper here: http://bit.ly/SecurityRiskWP
About Brass Valley
Brass Valley is an IT Asset Lifecycle Service provider and industry leader in client protection practices. We work with clients and industries such as financial services, healthcare, and the Fortune 1000 where protection of sensitive information is a high priority.