Ten tips for end of life data security

How does your organisation manage end of life (EOL) data security? What happens to your hardware when it becomes redundant and upgraded? What happens to the data on it? What about the data sitting on your tape and optical media? What happens to it when the media cartridges become obsolete and you migrate the data to another format? How does your organisation address expired EOL data which resides on current technology?

These are all questions that need to be addressed and documented to ensure your organisation’s data is not put at risk. Guy Holmes lists his top 10 tips for ensuring the security of data when the technology or the media it is stored on reaches EOL.

1. Implement a data security and data disposal policy. First and foremost, take a proactive approach before you get burned. Analyse the situation and risk factors, then develop, document and implement a data security and disposal procedure.
    
2. Replicate the policy throughout the organisation. The creation of a policy should ensure that it is easily distributed and implemented across sites, offices and locations — even between joint venture partners. If the process is uniform and simple to follow then, with a little luck and some determination, it will happen. Whether the policy involves handling EOL data centrally or at each separate location shouldn’t matter — the policy will explain the process and procedure to be followed, ultimately ensuring data security.
    
3. Understand your data requirements. How long data needs to be retained for will differ according to the type of data (financial, HR records, tax, medical, emails etc) and according to the type of organisation and culture you have. A publicly listed organisation will be subject to different laws and regulations (eg, HIPPAA and Sarbanes Oxley) than a privately owned company. Know what you requirements are — how long data is to be retained, protected, and when it can be expired and disposed of.
    
4. What is your key EOL priority? Will the EOL data policy decisions be made on a price basis alone or on a security basis — or a combination of the two? Is it more important to ensure absolute destruction and disposal by going over the top with unnecessary additional destruction processes, or is the budget and bottom line more important. A $10 per tape destruction charge which involves a 10-step process may not win against a $2 per tape destruction charge which only involves a 2-step process. This will depend on the type of data but also company culture.
    
5. Decide on the extent of your EOL procedures. For hardware: Is disk erasure or reformatting sufficient or is physical destruction such as drilling, crushing, disassembly required? We once tendered for a job that required a road roller to be used for physical destruction! For media: Is degaussing or reformatting sufficient or total shredding or disassembly required? Do you want to witness the process yourself or just require certificates of destruction? Does physical evidence need to be returned to you following this process — serial numbers, seals or the entire remnants? Is a document chain of custody process more appropriate?
    
6. Cover all areas of potential breach for EOL data. You ticked the box for data stored on hardware and media. What about data on additional but often forgotten devices such as USB sticks and external drives? Have you thought about hard copy data and documents that may end up in skip bins and dumpsters or that sits in off-site storage for years past its EOL? What about EOL data in transit? Is it handled securely or does it require encryption or additional security measures depending on the length of transit and type of data. Ensure all avenues for breach are covered off with appropriate processes such as security shredding, degaussing, physical destruction, encryption etc.
    
7. Understand third-party participation. If you have third-party involvement in the EOL data procedure, understand that all vendors may manage destruction or EOL data security differently, and with differing levels of effort. Ensure that your supplier fully understands your requirements and can provide you with the necessary assurance that your data has not been placed at risk. Ask for destruction certificates for hardware and data, visit their premises in person and witness the destruction process or request to view the end product of destruction.
    
8. Educate your employees. Often employees are not aware of the potential risk areas for breach of data security, nor are they aware of the potential implications of such a loss and breach in security. Train and educate them and encourage them to take ownership for these processes. By understanding the implications there is less potential for EOL data to be handled without due care and to be disposed of in a sloppy or adverse manner.
    
9. Test and monitor your EOL data security policy. Periodically test and validate that the policy and procedures put in place are working and being followed. Test that drive to check that the data has been erased. Attempt to read that tape to ensure the data is no longer there. Does the encryption really work or can it be bypassed. Looking at shredded paper and shredded magnetic tape may be easy, but where an EOL data policy involves degaussing and re-use of tapes or removal of RAM from hardware there is greater room for error and increased data risk. Make sure these processes are followed correctly.
    
10. Develop a cradle-to-grave data management policy. Your EOL data security policy should form part of a greater data management policy which includes the creation or acquisition, processing, storage, access as well as EOL requirements. Use systems or reporting mechanisms to track data and all associated hardware and media throughout the entire information and technology lifecycle.

*Guy Holmes is the Director of SpectrumData.