By Ben Rothke, Senior Security Consultant, BT Global Services, CISSP, CISA
Peter Norton was one of the personal computer pioneers and became extremely wealthy due, in part, to his ability to create a file undelete utility.
What Norton knew — that most people didn’t know then, and even now — is that when your operating system or application deletes a file, that file is not really deleted. Without going into the technical details, deletion is not the same as complete file erasure. To fully delete a file, such that it is unrecoverable, is not a trivial task.
Every business has huge amounts of digital media, often petabytes. When the media, often with corporate confidential and proprietary data, reaches its end of life, it can’t simply be dumped in the trash or returned to Dell. Companies need a formal process for media destruction.
This is not inconsequential because failure to adequately destroy media can have catastrophic consequences to a business — from financial loss and damage to a company’s reputation to regulatory violations as well as civil and criminal liability for directors and officers — and more.
The actual process of fully deleting data is known as sanitization. For those who want to know more about this, NIST Special Publication 800-88 Guidelines for Media Sanitization is something you want to read. NIST defines sanitization as the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed.
As a start, management must be aware of the risks of not having a formal sanitization process and must ensure formal sanitization processes are therefore developed. And no — Kyle in shipping who uses a sledgehammer to destroy hard drives is not a formal process.
As a follow-up, the development of an information lifecycle audit program is certainly needed — in which the business follows a life cycle approach to IT risk management that includes making an explicit decision about data destruction.
Lastly, it is imperative to ensure that quality control is built into the sanitization process. Mistakes do happen, even with well-developed processes. Without oversight and quality control, these mistakes will continue and can put the company at risk.
There is a lot more to sanitization than can be covered in a single blog post. So you may want to attend a webinar I am presenting from 1 to 2 p.m. ET on Tuesday, June 8, titled “Ensuring Effective Data Destruction Practices.”
You can register for free at: https://oreilly.connectsolutions.com/datadestruction/event/registration.htm.
Ben, thanks for making the proper destruction of data a task worthy of discussion. While we continuously see articles about complex threats and ever evolving attacks, this one very low level risk is very real. Sadly, it is not given the attention that it truly requires in most organizations. Companies that invest in some of the most extentensive and expensive security measures look at the disposition of IT assets as just an afterthought. Keep fighting the good fight!!