Use a data destruction policy to safeguard corporate secrets
Thursday, August 18, 2005 11:21 AM
Over the past few years, data retention has become a critical issue for corporations as they take steps to comply with complicated legislation--particularly, the Sarbanes-Oxley Act. While companies obsess over the retention requirements and boost their storage capabilities, there seems to be a tendency to ignore the flip side of the coin: data destruction.
What happens when your data has finally served its purpose? Sooner or later, you'll need to clean out those storage devices and free up some space. In previous articles, I've discussed how to erase old hardware and wipe data from Cisco routers and switches before discarding them. But these aren't the only devices on which data resides.
How much data do you think your organization has lying around in old file cabinets or long-forgotten CDs? When it comes to old media, don't throw it away--destroy it! By destroying any media that the organization no longer needs, you deny data thieves access to corporate secrets.
In June, the U.S. Federal Trade Commission enacted legislation called the Fair and Accurate Credit Transactions Act of 2003 (FACTA). FACTA targets consumer information, such as the type that credit agencies and lenders collect--in hopes of fighting the growing epidemic of identity theft. However, it's a good idea to incorporate the principles of this law throughout your company as a best practice for media destruction.
FACTA requires "disposal practices that are reasonable and appropriate to prevent the unauthorized access to--or use of--information in a consumer report." But think about this in broader terms: The end result of all data destruction should be to deny unauthorized access to any information.
Of course, the method of destruction varies depending on the type of media in question. Let's look at some of the most common media types and the destruction method for each.
Paper
When it comes to policy and practice, companies often
overlook paper as a form of media. However, it's vital to include this category
in your overall data destruction strategy.
Stop throwing away reports and sticky notes, and start destroying them. Take steps to destroy all documents and handwritten notes produced as a part of your business as soon as they are no longer necessary to your business. The most common approach for complying with HIPAA and FACTA regulations is cross-cut shredding that yields a paper fragment of 1mm by 5mm.
CD-ROMs and DVDs
Almost every business produces CD-ROMs or DVDs, either for
distribution to its clients or for internal data storage and portability. If
you no longer need the information stored on that media or if you move the
information to a different form of storage media, make sure you destroy the CD-ROMs
or DVDs.
Several acceptable methods exist for the destruction of this type of media. Options include breaking the disks, cutting them up with scissors, and even a specialized machine that shreds CD-ROMs and DVDs.
Floppy disks and tape
By design, magnetic media such as floppy disks and tapes are
easy to erase and write to many times. Erase the media with one of the freely
available programs that formats and writes 0s and 1s in a random pattern. When
you're finished with formatting and overwriting, use scissors to cut the media
and render it useless to prying eyes.
USB drives
These days, almost everyone
has a USB drive that holds anywhere from 32MB to 1GB or more. These
devices are reusable, and many keep using them until they no longer function.
If you do need to destroy one of these devices and can't reformat it, just
break the device in half. That will render the device unusable to someone who finds
it in the trash.
Final thoughts
When implementing a data destruction policy for your
organization, keep in mind that you need to balance the risk of disclosure with
the cost of destruction. (I intentionally didn't cover hard drives in this article,
because hard drive destruction and destroying
information on a hard drive is a totally different issue from portable
media.)
In addition, remember that if the data is valuable enough, someone might go to extraordinary lengths to recover that information. Regardless of the value of the data or the method you use to destroy your media, the end result should be to completely deny unauthorized access to the data.
Play video
There are currently no comments for this post.