Vulnerabilities exposed during disposal of used computers

Upgrading equipment? Proper disposal of used computers is necessary to reduce risk, because sensitive data is vulnerable when old electronics go out the door.

Don’t create a security breach.

That should be the mantra of anyone who has a hand in managing information risk, but so many people overlook the realities of disposing old computers and related equipment. I’d venture to guess more effort and money go into “green” marketing initiatives than proper system disposal. The focus is on business reputation as it pertains to good corporate citizenship, but sensitive information is being exposed when old electronics go out the door. There’s a bit of irony in it all.

Kevin Beaver
Kevin Beaver

Proper disposal of used computers is not just about wiping hard drives. There are personal records, intellectual property and sensitive system configuration information on routers, firewalls, telephone equipment, backup tapes, smartphones and so on. It’s everywhere. If you’re not taking the proper steps to identify sensitive information before it leaves the building, you’re opening your business -- and yourself -- up to big headaches, at best. These headaches can quickly turn into nightmares if sensitive information is ever brought out and used against you.

Take a look at your company handles the disposal of used computers . Can you truly say that sensitive information is completely cleared off your systems that are traded, sold or otherwise thrown out? Based on your experience managing information risk and the misfortunes of others, what should you be doing more of? Is there anything you should be doing less of, or not at all? These are the kinds of questions that can help improve your compliance and information security initiatives.

At a minimum, your disposal program should include the elements shown in Figure 1:

Essential elements for effective computer disposal

In essence, you need to know what you’ve got, ensure that everyone knows the requirements and processes, enforce the rules and never let up.

There are enough security threats and vulnerabilities to information risk management as it is. Breaches borne out of improper disposal of used computers are totally preventable. You should vow to get your arms around computer equipment disposal. Systems and sensitive information will no doubt slip through the cracks, but your goal isn’t to eliminate all risk. That’s an impossible task. Instead, develop a solid and repeatable process that shows your business is doing the right thing to minimize risks and reduce the impact when a breach does occur. It’s when businesses ignore basic due diligence and stand out from the crowd that they get into trouble.

Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Complianceand the newly updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audiobooks and blog.

This was first published in February 2012

Dig deeper on Vulnerability assessment for compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close