Information Security: Do you have an end of life plan for your hard drive?
With this being the dawn of the era of technology and computers, today’s data centers are the backbone of our digital information society.
A used computer hard drive contains old email messages, bank account, credit card, and social security numbers; and a host of other personal information. There are many methods that assume secure hard drive destruction, but the question is which are the most effective, safe, and reliable.
The sensitive nature of the information on your drives makes it absolutely critical that you efficiently, effectively, and securely eliminate any possibility of that data being accessed on your drive once destroyed at its end of life.
Some people heed advice taken from online searches. Keep in mind that online forums serve as bad advice, especially. Here are a few paraphrased comments found on a recent web search:
“I just take my old hard drives out to the parking lot and bash them with a big hammer.”
“An acid bath is the way to go.”
“Throw it in your fireplace.”
“Drill a few holes in each drive and be done with it.”
Although some of these methods may work if you have one or two hard drives to dispose of, those could still pose a huge liability risk when done for an employer. Businesses have to deal with liability, workplace safety, and legislation, which is why it is imperative to have an end of life plan to properly dispose of hard drives.
So how can you plan for the end of life of your hard drive?
First, you must understand that a hard drive can contain hundreds of thousands of files. And although hospitals and other healthcare and health-insurance providers, banks and other financial institutions, and government/military entities are subject to higher standards of confidentiality, every business has employee records and proprietary information. We all have to replace computers from time to time — more frequently as newer technology makes them obsolete. Know that when a digital file is “deleted” from a computer, the information actually remains on the drive, as do “deleted” e-mail messages and records of all online activity. Even reformatting or overwriting may not be enough to prevent confidential/proprietary/sensitive data from being recovered by a determined individual using the right techniques and equipment.
Secondly, for any facility it is recommended to institute a comprehensive information-security program — written procedures that must be followed. Such procedures should include detailed recordkeeping and labeling that states, for example, the serial number of each drive, the computer from which it was removed, and the date it was removed. The program should also include careful documentation of destruction dates and methods and a plan for in-house monitoring/verification.
Finally, understand that there are federal regulations that require some facilities to have comprehensive information-security program in place. In order to minimize fraud and identity theft, FACTA’s far-ranging standards require lenders, insurers, and many other businesses — anyone who “maintains or otherwise possesses consumer information for a business purpose” — to properly destroy consumer information. Likewise, hospitals and other healthcare entities must comply with privacy and security standards promulgated under the Health Insurance Portability and Accountability Act (HIPAA). Similar requirements may be found in the Sarbanes-Oxley (Public Company Accounting Reform and Investor Protection) Act and the Gramm-Leach-Bliley (Financial Services Modernization) Act. Further, the credit card industry is required by the Payment Card Industry Data Security Standard (PCI DSS), international protocols issued by a credit-card-industry council, to take proper security measures with customer and corporate proprietary information.
Types of hard drive destruction:
Overwriting the drive. “Disk-wiping” software is used to replace stored data with a pattern of meaningless characters.
Degaussing. Degaussing is simply the elimination of a magnetic field. There are two major methods of degaussing. The first method permanently erases data from hard drives when they are passed through the magnetic fields of powerful, fixed, rare-earth magnets. The second method uses a powerful electromechanical pulse that instantaneously generates a powerful magnetic field to permanently erase data from disks in an enclosed chamber.
Crushing. This method destroys drives by subjecting them to extreme pressure from a conical steel punch or similar device.
4. Shredding. Hard-drive shredders literally rip drives to shreds.
5.Disintegration. “Mechanical incineration” by a heavy-duty disintegrator (rotary knife mill) cuts items into smaller and smaller pieces until they are unrecognizable and un-reconstructible. For hard drives and other metal, this is typically done after shredding. Disintegration is similar to shredding, although the end particles are much smaller and more damaged.
It is recommended that you outsource a AAA NAID (National Association of Information Destruction) certified company to destroy your hard drives on site.
The certified destruction service should provide the following:
1. locked, trackable transport cases with tamper-proof security tags
2. Your items should be inventoried by serial number (or barcodes correlated with serial numbers) and stored in a locked, monitored area.
3. Employees should be thoroughly screened. The facility monitored around the clock by security cameras or mobile shredding unit.
4. Facility’s equipment should have been evaluated by the NSA/CSS
5. Allowed to watch the destruction in person or on video
6. Issued a certificate of destruction
7. facility/company should be insured
A comprehensive hard-drive disposal program can prevent sensitive electronic records from falling into the hands of those nefarious folks who want to do mischief at your expense. Data security is an ongoing process, but by learning about threats and understanding destruction options, you will be in a much better position to protect yourself and your business.
Rock Solid Shredding provides customized paper and hard drive shredding services that assist businesses with complying with legislation while protecting information.
Contact them at 501.940.9900 or fill out the Contact Form.
Follow Rock Solid on Twitter. Like them on Facebook.