Long gone are the days where an old piece of IT equipment could just be put in the skip round the back of the building and left to the bin men to pick up. Now, should any personal identifiable data (PID) be found on such a device, your company could be facing significant fines, considerable brand damage and your directors could be on their way to jail.
Nearly any piece of IT equipment will have some data stored on it—even network switches could have a username/password stored in flash memory, and if your sysadmins use the same pair across different equipment, a clever blackhat could use this to gain access to your main systems.
There are many companies, large and small, which will offer to dispose of old equipment for you, often touting that they operate against the waste electrical and electronic equipment (WEEE) rules. However, data security is far more important than WEEE—and needs far more to be done than most people think about. Let’s just focus on data held on devices that contain a disk drive of some sort.
An organisation must have a good understanding of how it wants its data dealing with—this requires the business to create an easily understood data classification. Low level stuff may be capable of being overwritten or otherwise erased (for example, via degaussing the drive or overwriting it to the British HMG Infosec Enhanced Standard 5). Although this will generally make any data irretrievable to those without very deep pockets, no-one should assume that an intact drive is not capable of having previous data recovered from it. Where any doubts remain as to the value of the data, full disk destruction may be required. For larger amounts of equipment, the data security company may be able to provide a mobile disk destroyer, so that the customer can see each drive being destroyed. However, in many cases, the equipment will need to be sent to the data security company’s facilities to be dealt with—which introduces new problems.
The first thing to look at is how will a third party transport your equipment to its premises? If it just turns up in a standard van and takes the stuff, how do you know what really happens from there on? No—you need to make sure that the company is coming to pick up an agreed set of items. When they turn up, there must be a full handover including signatures and time stamps as to what both parties agree was picked up. The equipment should be placed in a secure environment within the vehicle that the driver has no access to—and should be strong enough to withstand most crashes or other problems that could occur on the way.
The vehicle should be fitted with GPS transmitters, and the company should be able to track exactly where the driver has been, any stops made along the way and any variations against agreed path.
Once the van gets to the facility, the customer should be able to be present (if they so choose) when the equipment is taken from the van. The equipment must be compared against the agreed inventory, and should also be under video surveillance from the point of unloading onwards.
If the equipment cannot be dealt with straight away, it will need to be stored securely in the interim. The building that it is stored and dealt with should be secure in itself, through perimeter security using good locks and security monitoring via CCTV and guards, as well as anti-ram raid techniques such as bollards around the outside of the building (or large planted troughs to look nicer) as well as internal monitoring of all activity.
Those working on the equipment in any capacity should be CRB checked—but should still not be trusted. Everything that is done should be covered via constant CCTV, so that a full audit trail of where your equipment was and what actions were carried out on it by who can be shown to you at any time.
Where any disk drive (or other component) is removed from the main equipment, this should be shown via provable records by filming serial numbers or other identifiable asset tags so that everything can be matched up along the whole trail.
The actions being taken against the hard drives—whether these are secure reformatting or disk destruction—must again be provable. The serial numbers or asset tags should be filmed before each action and time stamped.
Once the actions are completed, the end result needs to be logged against the original inventory so that you, the customer, has full proof of what has been carried out.
There are not many companies in the UK that are capable of doing all this—yet there will be many who will come to you promising that they are fully secure in the way they deal with the disposal of data-rich items. Just look at the press and see the number of disk drives turning up on eBay, physical auctions and at car boot sales and ask yourself if you can really trust the person you are talking to. Turn up unannounced at their facility and see for yourself what they do. Check their credentials—ISO 27001, ISO 14001 and ISO 9001 should be baselines. WEEE storage and processing licences must be available showing the facility to be an Authorised Treatment Facility (ATF). CCSG and CCTM accreditation is useful where the degree of data erasure needs to be guaranteed. Other standards and accreditations may be useful depending on your needs.
A couple of companies that Quocirca is aware of in the UK that can manage hardware disposal in this way are Bell Microsystems and Ecosystems. Both companies offer additional services over and beyond data security—but for organisations looking to make sure they dispose of hardware in-line with current regulation such services should not be overlooked.