Getting disposal right

Technology innovation and changing user demands has seen business IT infrastructure change forever. Technology has become commoditised and a rise in mobility has led to hardware evolving from a fixed point solution to being a multi-faceted, multi-platform environment which permeates business in a far more fluid way than it ever has before.
    
So in an environment of change it’s surprising to find that one of the oldest IT business processes, that of asset retirement, has barely matured. In fact, as changes in technology have advanced the attitude to end of life processing has not kept pace resulting in data often leaving businesses in an uncontrolled and even unidentified business process.

Evidence of this can be found from the increasing action taken by the UK data regulator, the Information Commissioner’s Office (ICO). Within the past 12 months two of their largest fines to date, £325,000 and £200,000, were levied as a result of poor disposal processes. Furthermore, in 2010 the FSA levied a £2.25million fine on one of its members for the loss of backup tapes during a disposal process.

A simple process?
So why do companies have such a problem when dealing with what appears to be, at face value, a simple business process? To answer these questions we must first understand what some of the challenges are when disposing of data bearing equipment.
    
One of the issues we see is that businesses fail to understand that data resides on a whole range of devices such as smart phones, laptops, tape, USB sticks, networking and printer / copier estates as well as traditional technology such as hard drives. Furthermore, these assets are released from the estate more often than just at end of life. What happens when a device fails? Is it sent to a repair shop or simply replaced by manufacturer /supplier? What happens when lease equipment is returned to vendor? When proper consideration is given to transactions which occur at the ‘rear of the building’ it can quickly be appreciated that whilst much resource and funding is given to protecting data when it is on assets which are in life, the same cannot be said when those very same assets still holding data enter the disposal channel.

A further problem is how to answer the question of ‘how to sanitize data’. Too many companies think that data only sits on magnetic hard drives and we see policy including phrases such as ‘Must use CESG software’. This sounds great but CESG only approve overwriting tools for magnetic hard drives, so what about other media types? We also see policy documents which state ‘Must ensure all data is eradicated’ and not a lot else. So how is this to be achieved? Where is it done? By whom is it done?
    
In the UK alone there are over 700 IT asset disposal companies, so the question of who to engage with and what selection criteria should be used is also a challenge. ISO 27001 is often used as a sign of competence but this is more concerned about management of data created in the business process itself not the act of asset recovery. I’ve personally seen an ISO 27001 company operating from a farm building which had little physical security and even less process control. There is also PAS 141 and BS 8887 which are strong on the preparation for re-use as well as relative environmental permitting and licenses for those companies collecting and processing waste. Clearly we are going to recommend those companies who hold our own Standard as this is written specifically for this business process from a stand point of managing risk throughout the process. This is managed not only through a single audit but also regular unannounced and forensic assessments and with end users benefiting from a free monitoring service our members are being as transparent and open as they can possibly be.
    
The final issue for business is how to show compliance within this business function? As far as the data protection act is concerned the key phrase ‘Appropriate technical and organisational measures’ and so the first question should be introspective; ‘Are we doing everything we could do manage this business process?’ In 99 per cent of businesses we’ve worked with I’d say that that the honest answer would be no.

What can you do?
As the data regulator, the ICO, has released some guidance notes I’d say the starting point is to familiarize yourself with these requirements. They are straightforward and logical and help businesses have greater control within disposal.
    
The most critical improvement which can be done is through the development or policy which is prescriptive and controlled by strong implementation. In ADISA’s experience this is where many end users struggle and clearly a poor IT asset disposal policy means the whole process starts off from a position of weakness. This, magnified by little in house expertise to put these issues right, is coupled with an industry which is cut throat and unregulated, creates an environment which is uncontrolled and offers significant risk to the data controller.
    
It is essential that any policy should encompass all technology and media types and also include not only end of life but also other business processes such as break fix, leasing and back up. It should also include a prescriptive requirement for the act of sanitization against each media type. Whether that is software overwriting, destruction, onsite or offsite should be decided by a risk assessment process as each have their merits and challenges to be overcome.
    
Your policy should then be used to drive processes, procedures and contracts which enable the policy to be complied with. This needs to include not only the act of sanitisation but also the processes surrounding it, most notably how the chain of custody is maintained throughout process. Too many companies believe that to simply receive certificates of data erasure covers them from potential issues but they must think a little bit deeper. If original asset owner doesn’t have an inventory of the items being released then how do they know that all items have been processed? The only evidence they have is of the assets which have made it to the processing bench.What happens if some were purloined by in-house staff, or lost during logistics, or if your processing agent loses control of the asset and it doesn’t get erased. It’s the items not on the certificates which you need to worry about.
    
Vendor Selection is a significant challenge and is one where many businesses opt for the ‘lowest bid’ approach. It is almost certain that most businesses will engage with third parties for at least part of their data sanitisation requirements and it is essential for this engagement to be formalised and controlled by a contract.
    
When selecting partners tenders are often used but we have seen tenders recently issued where there is an 80 per cent weighting on price and no specification for data destruction. We have seen equipment lists being mailed around the industry asking for the ‘best price’/ and in the small print ‘offer must include data destruction’. All of these practices are happening today and on a regular basis. Do we really think that approaching an engagement in this way shows ‘Appropriate organisations measures’? I don’t think so and more importantly nor does the regulator.

ADISA Certification
Our advice to end users is to look for those companies carrying the ADISA certification or at the very least showing capability of meeting the Standard. Not only are our certified members independently assessed on an on-going basis but via the free monitoring service, our certified members customers receive copies of all audit reports for their own records. In addition, in outsource contracts (for example Health Informatics) then details of who is providing this service is essential for the data controller to know. In many cases the company directly contracted farms the work out to various downstream service providers outside of the control and governance of the data controller.

My closing comment is simple; asset disposal is a process which you can get right. The only real reason companies are still getting it wrong is simply a lack of focus and commitment to this business process. Businesses’ data protection responsibility only ends when that data is no longer available so it is glaringly obvious that the asset disposal process is as important as the rest of information security. Until it is treated as such by the data controller and resource (both financial and professional) is allocated specifically to this process then it is only a matter of time before there will be another headline and this time it could be you making the news.

For more information
To read the ICO Guidance notes go to tinyurl.com/pd3ga3z

To download the ADISA ITAD Standard, search for a certified member or download the ADISA Training course brochure go to www.adisa.org.uk

Please register to comment on this article