For information security and risk management personnel, the stakes for IT asset disposition (ITAD) are high. If you are in one of these roles, you are tasked with ensuring that your organization meets your internal requirements and your industry’s regulatory standards such as HIPPA/HITECH, PCI, SOX, FACTA, GLB, FERPA. It only takes one drive to get through the ITAD process with data still on it to cost your company a significant amount in fines and public relations value, and possibly stock price. The current average cost of a single data breach can be measured in thousands – or even millions – of dollars.
At the same time, your company may be trying to maximize the remarket value of retired assets, and doing that requires having a hard drive in the equipment. How, then, can you ensure the data on your organization’s IT assets has been properly wiped and that the results will hold up under the scrutiny of an audit?
Use a certified vendor
For complete and compliant data erasure, the best choice is a vendor that has been certified by a recognized third party. If you use a certified IT asset disposition vendor, you can be sure that it meets the highest standards for data erasure and its entire disposition process has been documented. The National Association for Information Destruction (NAID) is one of the major certification bodies that focus exclusively on security, and it performs both an annual and a surprise audit each year on the organizations it certifies. R2/RIOS and e-stewards certifications also include data security standards. By working with a certified ITAD provider, you’re saving yourself the trouble of checking up on the work of your vendor, because it’s already been done for you.
Choose a certified vendor for all information destruction, on hard drives and other storage media, and be sure to include equipment like copiers, network printers, and PDAs, as well.
Certified data erasure providers have advantages over an internal team
You might think it would be more secure to use your own IT team for data erasure, however there are several advantages to partnering with a certified vendor. Your IT team may be skilled in a number of areas, but they may not all be familiar with proper data erasure procedures. The team members are also most likely juggling several other tasks, so they may not be available to monitor the data erasure process to ensure quality from start to finish. A staff dedicated solely to data erasure at a certified partner, on the other hand, will be trained in the process, software tools, standards, and best practices. They can offer a documented data erasure process certified according to industry standards and they will not be distracted by other projects while they are serving your organization.
Even if your internal team does have an erasure process, have your ITAD vendor also perform a data wipe and report to you the results. You may find that some of the drives were not
Encryption is not erasure
Encryption makes the data very difficult for anyone without the key to read. However, the data is still on the drive. At disposition, the US and international standards require that the data be completely erased. The same process can successfully wipe encrypted and non-encrypted drives, and the same forensics can check them to make sure the data is really gone.
More information about ITAD data erasure
Many misconceptions exist about the process, standards, and technology related to data erasure. Our document, “10 Myths About IT Asset Disposition (ITAD) Data Erasure,” sheds some light on the data erasure process, dispelling some of the most common myths and discussing the best practices for optimizing your organization’s ITAD program in this area.
Read more: Should You Ask for a “DoD” Data Wipe?