Don’t create a security breach.
That should be the mantra of anyone who has a hand in managing information risk, but so many people overlook the realities of disposing old computers and related equipment. I’d venture to guess more effort and money go into “green” marketing initiatives than proper system disposal. The focus is on business reputation as it pertains to good corporate citizenship, but sensitive information is being exposed when old electronics go out the door. There’s a bit of irony in it all.
Proper disposal of used computers is not just about wiping hard drives. There are personal records, intellectual property and sensitive system configuration information on routers, firewalls, telephone equipment, backup tapes, smartphones and so on. It’s everywhere. If you’re not taking the proper steps to identify sensitive information before it leaves the building, you’re opening your business -- and yourself -- up to big headaches, at best. These headaches can quickly turn into nightmares if sensitive information is ever brought out and used against you.
Take a look at your company handles the disposal of used computers . Can you truly say that sensitive information is completely cleared off your systems that are traded, sold or otherwise thrown out? Based on your experience managing information risk and the misfortunes of others, what should you be doing more of? Is there anything you should be doing less of, or not at all? These are the kinds of questions that can help improve your compliance and information security initiatives.
At a minimum, your disposal program should include the elements shown in Figure 1:
In essence, you need to know what you’ve got, ensure that everyone knows the requirements and processes, enforce the rules and never let up.
There are enough security threats and vulnerabilities to information risk management as it is. Breaches borne out of improper disposal of used computers are totally preventable. You should vow to get your arms around computer equipment disposal. Systems and sensitive information will no doubt slip through the cracks, but your goal isn’t to eliminate all risk. That’s an impossible task. Instead, develop a solid and repeatable process that shows your business is doing the right thing to minimize risks and reduce the impact when a breach does occur. It’s when businesses ignore basic due diligence and stand out from the crowd that they get into trouble.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Complianceand the newly updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audiobooks and blog.