Week 11: Are you throwing out company secrets?

When
Review policy at least annually.

Why
As with paper files (discussed last week), confidential corporate financial or customer information data found on discarded floppies and CDs could give your competitors an unfair advantage or provide grounds for a lawsuit that could wipe out your company.

At least one of these laws applies to your organization:

--The Federal Privacy Act protects the privacy of individuals and businesses by holding government agencies and the private sector liable for any personal information released to unauthorized individuals.

--If you are already in the middle of a suit, the Sarbanes-Oxley Act makes destroying documents related to a federal investigation a serious crime. And, as Arthur Andersen learned only too well, the act of destroying evidence in anticipation of a lawsuit can lead a jury to conclude the information would have been damning.

--The Gramm-Leach-Bliley Act requires companies engaged in financial activities to provide secure handling of client records and information.

--HIPAA, the Health Insurance Portability & Accountability Act, protects security and privacy of private health information.

--State and local legislation is being proposed and passed throughout the nation in response to constituent alarm over privacy protection and identity theft -- all laws supported by fines and the right to sue for damages.

Strategy
Paper isn't the only thing that can fall into the wrong hands. Data can be gleaned from any data storage medium, such as linear tape and CDs, if the data isn't electronically "shredded" first. There are a number of programs that completely obliterate data -- just read the reviews in

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Essentials By addressing data privacy, companies avoid public scrutiny Lessons learned: The LendingTree case Lessons learned: The Countrywide Financial breach The Societe Generale fraud story: Keith White on fraud Institutionalizing risk management for ongoing management support Risk assessments: Internal vs. external Putting risk analysis into words Lessons learned: The Texas Insurance Claims Services case Lessons learned: The Montgomery Ward breach Lessons learned: The Citibank ATM breach Secure data disposal and destruction Lessons learned: The Texas Insurance Claims Services case Bank boosts security after couriers lose backup tapes State Street breach highlights encryption limits, vendor due diligence Best practices for implementing a data disposal policy A path to destruction Talking trash: Secure information disposal Discarded hard drives can be dangerous

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

the computer magazines.

The magnetic signals on the disk should be so thoroughly scrambled that the original data can't be recovered, even through the use of specialized hardware or software -- if you want to re-use the medium. If you don't intend to re-use it, physically destroy computer disks, tapes, microfilm, microfiche, x-rays, etc. And don't forget media from a backup site. Companies offer this service, but if you destroy enough media regularly it may be cost-effective to buy a machine to safely destroy everything on site.

If your organization chooses to destroy media, be aware that increasing pressure to recycle IT products -- as a result of e-waste hazards and accompanying regulations -- has set the stage for higher disposal costs. Also, IT equipment disposal services may be working through brokers to send it to illegal waste dumps in the United States or developing countries -- a controversial practice, as potentially hazardous materials could be released as the materials decompose.

Establish best practices, thoroughly check out vendors and create an audit trail so your organization won't be a future candidate for fines or negative publicity. While e-waste applies more to system parts like circuit boards and CRTs, you should keep this trend in mind.

More information
Good search engines will help you find a shred program that will work for you. If you're physically destroying media, the local yellow pages list these services.

About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:securityplanner@infosecuritymag.com

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.

Last week: Are you throwing out company secrets? (Part 1 -- physical records)
Next week: Quality of your Web site copyright, privacy policy and links

Rate this Tip To rate tips, you must be a member of SearchFinancialSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.