Week 11: Are you throwing out company secrets?

Week 11: Are you throwing out company secrets?

In an effort to help busy security managers, CISSP Shelley Bard's weekly column will build upon the concept of the perpetual calendar, offering a schedule of reminders for a proactive, strategic

    Requires Free Membership to View

    Login

    SearchFinancialSecurity.com members gain immediate and unlimited access to in-depth technical advice, strategies, and expert guides for securing data in high-risk financial environments. Join me on SearchFinancialSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchFinancialSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchFinancialSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

security plan. Visit here for an archive of previous columns.

When
Review policy at least annually.

Why
As with paper files (discussed last week), confidential corporate financial or customer information data found on discarded floppies and CDs could give your competitors an unfair advantage or provide grounds for a lawsuit that could wipe out your company.

At least one of these laws applies to your organization:

--The Federal Privacy Act protects the privacy of individuals and businesses by holding government agencies and the private sector liable for any personal information released to unauthorized individuals.

--If you are already in the middle of a suit, the Sarbanes-Oxley Act makes destroying documents related to a federal investigation a serious crime. And, as Arthur Andersen learned only too well, the act of destroying evidence in anticipation of a lawsuit can lead a jury to conclude the information would have been damning.

--The Gramm-Leach-Bliley Act requires companies engaged in financial activities to provide secure handling of client records and information.

--HIPAA, the Health Insurance Portability & Accountability Act, protects security and privacy of private health information.

--State and local legislation is being proposed and passed throughout the nation in response to constituent alarm over privacy protection and identity theft -- all laws supported by fines and the right to sue for damages.

Strategy
Paper isn't the only thing that can fall into the wrong hands. Data can be gleaned from any data storage medium, such as linear tape and CDs, if the data isn't electronically "shredded" first. There are a number of programs that completely obliterate data -- just read the reviews in the computer magazines.

The magnetic signals on the disk should be so thoroughly scrambled that the original data can't be recovered, even through the use of specialized hardware or software -- if you want to re-use the medium. If you don't intend to re-use it, physically destroy computer disks, tapes, microfilm, microfiche, x-rays, etc. And don't forget media from a backup site. Companies offer this service, but if you destroy enough media regularly it may be cost-effective to buy a machine to safely destroy everything on site.

If your organization chooses to destroy media, be aware that increasing pressure to recycle IT products -- as a result of e-waste hazards and accompanying regulations -- has set the stage for higher disposal costs. Also, IT equipment disposal services may be working through brokers to send it to illegal waste dumps in the United States or developing countries -- a controversial practice, as potentially hazardous materials could be released as the materials decompose.

Establish best practices, thoroughly check out vendors and create an audit trail so your organization won't be a future candidate for fines or negative publicity. While e-waste applies more to system parts like circuit boards and CRTs, you should keep this trend in mind.

More information
Good search engines will help you find a shred program that will work for you. If you're physically destroying media, the local yellow pages list these services.

About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:securityplanner@infosecuritymag.com

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.

Last week: Are you throwing out company secrets? (Part 1 -- physical records)
Next week: Quality of your Web site copyright, privacy policy and links

This was first published in January 2008

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top