Preventing unnecessary data disposal risks

Steve Mellings, of the Asset Disposal & Information Security Alliance, discusses the problems facing data diposal and how it should be managed.

The incidence of data breaches is on the rise. It seems that public and private sector organisations are left embarrassed because they’ve suffered a ‘cyber-attack’ and there is a predisposition for most readers to assume these issues are as a result of a highly sophisticated attack on our networks. The reality in many cases is very different. Whilst the press and security industry waxes lyrical about the need for increased cyber defences, most government departments and businesses as a whole need to pause for breath and take stock of the situation they currently find themselves in. There are a whole array of very basic vulnerabilities which exist and require very little expertise to exploit that need addressing.

One area of continued poor performance is ICT asset disposal. In a Big Brother report, the health sector’s ICT disposal featured as two of the 10 top data breaches. So what is the problem? Why does a seemingly innocent and simple business process go wrong?

Perception of it disposal
Within the NHS I’ve seen Informatics and IT teams treat retired ICT assets as nothing more than door stops. I’ve personally inspected equipment left in a public corridor all still holding data and in another trust I’ve seen a publicly accessible fire exit stairwell used as a storage area. Furthermore, as the industry looking to win business from this sector we see, on an on-going basis, an enormous indifference to the seriousness of the process. Tenders coming out with little service specification and with the majority of the weighting being on price. We constantly see RFPs being released with only cursory equipment lists and then a request for ‘best bids’.

So for any organisation looking to manage risk within ICT Disposal they must first change their perception. Their partners are not IT Dustmen, they perform an essential part of the effort to protect data. Once this process is looked at in a different light it will be seen that, whilst there are risks throughout, they can be neatly categorised into three key areas.

Inventory Management
With inventory list accuracy ranging from 60-80 per cent for equipment on the network it can hardly be surprising that when ICT asset disposal companies come to collect equipment it is often done so after a request such as ‘we have a van full’ or ‘I’ve got a few bits’. Sometimes an inventory list is provided but is virtually a work of fiction and bears no resemblance to the actual assets ready for collection.

So why is this important? An inventory list is essential if the releasing company is going to have any hope of showing control over the process. How can the chain of custody be shown to exist through various internal stages and therefore mitigate the likelihood of internal and external theft? For those organisations who comfort themselves with ‘certificates of destruction’, ‘waste transfer notes’ or even ‘audit documents’ I would suggest that this is cold comfort. After all, how can you evidence that all of your items have been processed when you don’t even know what you released?

Vendor Management
Most organisations will engage with a third party to perform these services. As such, how this partner is selected and managed is an imperative part of this process. Vendor selection is perhaps the greatest concern in this sector. The industry itself is highly competitive and historically has done very well out of organisations seemingly happy to just give old infrastructure away. However, this has significantly changed in the past few years and with the exception of companies who offer ICT disposal as part of a portfolio of IT services, it is extremely difficult to offer these services for free without absolute guarantee over the volume and quality of equipment. The second user market has become far less buoyant for older technology and commodity pricing has decreased significantly in the past 12 months.

This has meant that the recycling value of equipment is about 30 per cent of the level where it was previously. It makes sense, therefore, that if the resale value is lower, the material value is lower and the type, quality and age of equipment is unknown, then no one can be absolutely assured that they can cover their costs from a collection.

Hopefully it can be seen that to base selection just on price in a highly competitive market is a questionable strategy. It’s interesting to note within the ICO’s NHS Surrey (£200,000 fine) penalty notice that they specifically make mention of poor vendor selection and this incident should be used as a case study for others. The most critical area where organisations fail is to not have a contract in place and to not audit their partners.

Technical Solution
I think we all know that delete doesn’t work but organisations are still taking little responsibility when it comes to dictating what tools should be used on their data carrying media. The technical solution can get even more confusing when there are occasions that a CESG approved software overwriting tool might give a ‘pass but with exceptions’ and generate the report. Those exceptions generally are not easily accessible to a user and require forensic recovery but unless the releasing company dictates the behaviour you are leaving your vendor to make those types of decisions.

For any organisation now using Solid State media they need to be aware that there are no government approved software overwriting tools. Furthermore, many destruction tools don’t actually impact on the storage element of the media itself (the NAND cells) so some traditional drilling or punching process may not work.

The easiest way of managing risk is to simply engage in this process in a more intellectual way. Have an inventory of equipment which is being released. Release it to a professional company who holds relevant certification, contract with that company and include a detailed service specification, and finally, audit them.

The solutions are out there and there are ways of meeting all different types of budget.

Further Information
www.adisa.org.uk