Ten Steps for End-of-Life Data Security

Most corporate data centers rely on more than one vendor for storage media. They manage end-of life-data security much the same way, letting vendor service reps erase data from their tapes or hard drives. That approach may have proved adequate in the past, but it’s too risky in the current business climate. Here’s a ten-step strategy for getting end-of-life data security right.

1. Take a proactive approach. High-profile data breaches like the one suffered by retailer TJX are driving data centers to rethink their data security strategies. To avoid lawsuits and financial liabilities brought on by such incidents, develop a data security process, and put it in place before a breach occurs.

2. Align your strategy with your business culture. If your company is publicly held, regulations like Sarbanes- Oxley, HIPPAA, and FACT Act dictate to a large degree how your data is retained, protected and retired. Privately-held firms aren’t subject to the same laws, but they face security risks too. Public reports of data breaches can damage a company’s reputation and finances, and put brand equity at stake.

3. Define your focus: price or security? Is price or security the top concern around end-of-life data management? Most managers claim the latter, but until you develop a detailed security plan, and put it into action, the per-pound price of taking storage tapes away is more likely your higher priority.

4. Create a uniform process that is easy to replicate. If your data assets are distributed across multiple sites make sure the data center in New York is following the same procedures as European headquarters in London. Also important is deciding whether to centralize the assets on one site, or handle end-of-life data security at the remote locations themselves.

5. Educate and train. Teach staffers at remote data centers how your process works and what it entails. Monitor them to make sure they are using it.

6. Mitigate the risk of data in transit. If you opt for moving data assets among sites, keep in mind that a Hard Drive lost en route to the OEM or its ultimate destination can put your company at risk—especially one that stores credit card numbers or other sensitive information. Carefully track shipping of storage media, making sure project managers sign off every step of the way. If possible, erase the drive before shipping.

7. Keep your eye on the dumpster by the back door. High-tech, Internet hackers make headlines. But lowtech methods of obtaining people’s personal information may pose a bigger threat. Make sure documents with sensitive data don’t end up in the trash where dumpster divers can uncover them.

8. Track every detail, right down to the serial number. Whether you are doing the job yourself, or using an outside vendor, be specific about what data has been destroyed where. That means tracking the serial number for each drive, not just noting all drives in a SAN enclosure have been erased. The same applies to simple procedures like piece count. Verify the count before the process begins, during the process, and have a third party do so at the end. Project managers should sign off on all assets, noting quantity and serial numbers, before they leave the facility. Outside providers should follow the same procedures.

9. Validate your security process is working. Erase the drive—then check again to make sure it’s really erased. You don’t want your company data to end up on a second-hand drive for sale on eBay. If you are using tools such a degausser—essentially a big magnet—make sure they are working properly, and detail the role each tool plays in the data security process. Keep in mind that different vendors use different tools, so validating each one is essential.

10. Develop a cradle to grave reporting strategy. Use software to track assets such as hard drives by serial number from the time they are first acquired to when the data is erased and the asset retired. Make sure your asset tracking software can import data from other systems used by vendors and outside service providers.

Erasing Drives for Reuse.

Here’s a checklist to make sure you don’t miss anything.

• Erase connected USB Drives

• Dismantle RAID Configuration

• Fiber Channel Drive Support

• SATA Drive Support.

• Overwrite Entire HDD, despite BIOS Limitations

• Simultaneous Disk Erasure

• Detailed Asset Report

• Erasure Confirmation Certificate

• Save Erasure Confirmation Data

• Erase Protected Hard Drive areas (HPA, DCO)

• Erase Remapped/Bad Sectors

UNCLASSIFIED / FOR OFFICIAL USE ONLY Information contained in this document is designated by the Department of Defense (DoD) as For Official Use Only (FOUO) and may not be released to anyone without the prior permission of NHQ CAP and/or CAP-USAF.

LINKS OR REFERENCES TO INDIVIDUALS OR COMPANIES DOES NOT CONSTITUTE AN ENDORSEMENT OF ANY PRODUCT OR SERVICE YOU MAY RECEIVE FROM SUCH SOURCES.