Avoiding the Risks– Storage of Obsolete Data Devices
We recently took a look at the top 3 inherent risks that accompany the storage of obsolete data devices. Now that we are more familiar with these risks, let’s examine some best practices your organization should consider deploying to ensure your data is handled properly and destroyed through secure procedures.
Written Policies and Procedures– A good way to begin employing best practices is to first take a close look at the data handling and destruction policies and procedures your company has in place. A consistent policy followed by everyone in your company is essential to avoiding litigation risks and qualifying for certain “safe harbor” protections. It can also eliminate confusion in regards to how sensitive data should be responsibly and securely disposed. To learn more about why you should create a data destruction policy, check out this article on ComputerWorld.
Data Destruction Vendor- Having a partner chosen for data destruction can help eliminate the data storage risks by cutting down the lead time between device failure and disposal. The key to ensuring your electronic assets are destroyed securely and within compliance is through obtaining an understanding of which vendor will suit your company’s needs. Here are a few requirements you should be on the lookout for when considering your data handling and destruction vendor:
- When selecting a vendor, you first should consider whether or not the vendor is NAID certified. NAID is a 3rd party organization that randomly audits data destruction sites to ensure the highest standard of security is being met.
- Are they familiar with the typical government and private sector compliance regulations?
- What is their compliance and security policy? Often vendors will consider these two things to be the same – the best vendors will go above and beyond the compliance requirements to ensure your data was handled and destroyed securely.
- What methods does the vendor deploy – Degaussing, Shredding, etc…
- What’s the chain of custody – can they provide on-site destruction?
- Are their methods environmentally sound and in compliance with government regulations? Keep in mind that DOD regulations are the strictest, followed by Health Care and Financial information.
- What kind of audit and reporting mechanisms does the vendor have in place? Tracking your data assets all the way through destruction is key to ensuring that your data is disposed of in a secure fashion.
Asset Tracking- Mitigate misplacement risks by keeping a rigorous record of all data assets. Be sure to always know where data assets are located and who might be accessing them. Match this tracking system with your data destruction vendor’s destroyed asset list for peace of mind that all data was disposed of.
Secure Access Controls– It is a best practice to use access badges to control access to specific areas where sensitive data assets may be located. Background checks on employees are another suggestion in order to ensure that your company is taking precautions to make sure data is not in the wrong hands.