security plan. Visit here for an archive of previous columns.
Review policy at least annually.
As with paper files (discussed last week), confidential corporate financial or customer information data found on discarded floppies and CDs could give your competitors an unfair advantage or provide grounds for a lawsuit that could wipe out your company.
At least one of these laws applies to your organization:
--The Federal Privacy Act protects the privacy of individuals and businesses by holding government agencies and the private sector liable for any personal information released to unauthorized individuals.
--If you are already in the middle of a suit, the Sarbanes-Oxley Act makes destroying documents related to a federal investigation a serious crime. And, as Arthur Andersen learned only too well, the act of destroying evidence in anticipation of a lawsuit can lead a jury to conclude the information would have been damning.
--The Gramm-Leach-Bliley Act requires companies engaged in financial activities to provide secure handling of client records and information.
--HIPAA, the Health Insurance Portability & Accountability Act, protects security and privacy of private health information.
--State and local legislation is being proposed and passed throughout the nation in response to constituent alarm over privacy protection and identity theft -- all laws supported by fines and the right to sue for damages.
Paper isn't the only thing that can fall into the wrong hands. Data can be gleaned from any data storage medium, such as linear tape and CDs, if the data isn't electronically "shredded" first. There are a number of programs that completely obliterate data -- just read the reviews in the computer magazines.
The magnetic signals on the disk should be so thoroughly scrambled that the original data can't be recovered, even through the use of specialized hardware or software -- if you want to re-use the medium. If you don't intend to re-use it, physically destroy computer disks, tapes, microfilm, microfiche, x-rays, etc. And don't forget media from a backup site. Companies offer this service, but if you destroy enough media regularly it may be cost-effective to buy a machine to safely destroy everything on site.
If your organization chooses to destroy media, be aware that increasing pressure to recycle IT products -- as a result of e-waste hazards and accompanying regulations -- has set the stage for higher disposal costs. Also, IT equipment disposal services may be working through brokers to send it to illegal waste dumps in the United States or developing countries -- a controversial practice, as potentially hazardous materials could be released as the materials decompose.
Establish best practices, thoroughly check out vendors and create an audit trail so your organization won't be a future candidate for fines or negative publicity. While e-waste applies more to system parts like circuit boards and CRTs, you should keep this trend in mind.
Good search engines will help you find a shred program that will work for you. If you're physically destroying media, the local yellow pages list these services.
About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:firstname.lastname@example.org
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
This was first published in January 2008