Data Destruction Myths
An IT Manager was heard to say recently “the hard drive is inoperable so let’s just send it to offsite recycling”. Another data center manager chimes in and adds, they “beat their units up with hammers and send them to the recycler”. An R2 recycling manager smiled and said “the last time I was at the recycler’s facility, I saw many people picking through the piles of e-waste and selecting all of the units that were not destroyed and purchasing them for a miniscule amount of cash.
It is 2015 and we are 70 years into the computer revolution yet there are software specialists who do not understand where their data resides or how to properly destroy it. Some think it is actually on a ‘Cloud’. So we should venture back to the basics, just as professional athletes do each summer before the season begins.
Myth #1: All data, big and small resides on a physical device.
It might not be in the office, but we might want to know where it is. Besides, we aren’t going to get very far blaming any lack in physical security on someone who is supposed to be watching our most precious commodity: our data. Therefore, we should know where our data is at all times. And TechR2 can help with our RFID IT Asset Management solution.
Myth #2: When data bearing devices fail, we need a process for data destruction and we need the training to do the procedure correctly.
Many facilities say that they follow a procedure, but when when asked during our audits, managers are surprised to find data bearing devices unsecured. Call TechR2… we are ISO certified and will help you establish a process and audit tracking program that works.
Myth #3: When executing a critical task in a data center, we use the two person rule to protect the organization from error and to guarantee security.
This is a CISSP exam question, remember. And it is also an ISO 27001 security rule. TechR2 is an ISO 27001 certified data destruction company.
Myth #4: We need a physical inventory of our critical devices.
Do you have one? We find that many data centers do not know the serial number of their data bearing device until the unit fails. When a storage server is offline, they definitely do not know where the units are located or what critical data is stored within them. It is common to see computers and servers shipped outside their facility with the hard drives intact. It is more common to go onsite and find that the hard drive count is inaccurate. The TechR2 TAB process will establish real physical inventory for those who ask.
Myth #5: Security rules dictate that secure devices do not leave the facility.
How many times do we see a company using shredders mounted in a truck? That means that secure devices with real data are carried into the parking lot, compromising the data and great risk to the company. Have hard drives ever been stolen using this method. Yes. More than once. TechR2 executes data destruction onsite.
To conclude, if we can find a hole in the data center’s plan for data destruction by just looking at the written plan, then how fast can anyone defeat the security procedures in reality. The affects remain – one or more data bearing device is compromised and you find that there is a breach. And the legal requirement to answer many questions about how you “lost sight of the big picture” will inevitably follow.
