Tag Archive for 'data destruction'

Data Destruction Policy/Service

Published by Nainil Chheda on February 27, 2009 in Organization and Technology. Comments

Recently I documented my thoughts on “Deleting Data does not Purge Data“. My inclination was toward developing a policy which would formulate the “Data Destruction Policy” in our company.

We deal with confidential data all the time which is sent by clients for:

  1. Data Migration
  2. Checking Database Integrity
  3. Development
  4. Stress Testing

During this time, the data is passed around our highly qualified staff (who have signed a “Non-Disclosure” agreement). Many a times, we have seen the medium of transporting/transferring data is a secure channel. However some times, the channel storing/transferring confidential data could also be a “DVD”, “USB Drive” or even a “Magnetic Tape Drive”.

To safeguard the interest of our clients and our staff members, we have partnered with a “Digital Media/Data Destruction Company”. This company guarantees destruction of digital information from any external media at a nominal cost of ($15-$25) per incident.

The Data Destruction Company has signed a “Non-Disclosure” agreement. So the data/information is safe and not in unsafe hands.

Here is the process that we have set:

  1. Any disk/tape drive which needs to be destroyed should first be formatted by our company staff member.
  2. The staff member would also physically abuse (destroy) the disk with a hammer or melt the same if possible.
  3. We would then give the disk/drive to the “Data Destruction Company”
  4. During this time, the company would provide us with a receipt of the disk/drive and would inform us the date/time the data will be destroyed
  5. Once the data is destroyed, the company sends us a formal receipt that the data was destroyed and the task has been completed.

We have also published this process within our organization so that any staff member who believes that they have disk/data that needs to be destroyed can contact our IT staff members and take advantage of the new “Data Destruction Service”.

This is a process which has safeguarded our position with the clients and we have built a trust relationship where we respect the privacy and confidentiality of the data we receive.

Share this:
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • LinkedIn
  • Reddit
  • StumbleUpon
  • Technorati
  • TwitThis

Deleting Data does not Purge Data

Published by Nainil Chheda on February 3, 2009 in Technology. Comments

I have always been an active proponent of disposing replacement or obsolete technology products in a regulated fashion. Of late, I have been promoting the notion of “Deleting Data does not Purge Data“.

It has been assumed by many that, simply “deleting” the files on a system gets rid of the contents on the drive. This is not the case as there is a very high possibility that this information will most likely still be recoverable.

This compromises the privacy of your data which could include passwords, personal information, classified documents from work etc. The classified nature of data could lead to legal consequences.

As per a recent article (Dumped hard drives tell all), most people tend to transfer desktops or laptops without disposing the data.

113 of 200 drives purchased on eBay as part of a security vendor’s study on disk sanitization still contained recoverable data, including data that in some cases appeared to be confidential or quite personal in nature.

We deal with highly classified data which might some times include data which could be confidential or quite personal in nature. Many a times our team downloads client database (with consent) over a secure connection. This data might contain Electronic Patient Health Information. This data must be protected from unauthorized disclosure in compliance with the requirements of HIPAA and other applicable state and federal privacy regulations.

When an employee terminates the employment usually the desktop or laptop is transferred to another person, department, or disposed of as surplus property. While this being done it is required to mandate “Disk Sanitization”.

There are two options to Sanitize a Disk:

  1. Wipe or OverWrite the disk using a software utility
  2. Physically Destroy the hard disk by melting, shredding etc.

Types of Secure Deletion Standards:

  1. Simple Overwrite (1 pass)
  2. Department of Defense - DoD 5220.22-M ( 3 pass)
  3. NSA (7 passes)
  4. Gutmann (35 passes)

To successfully wipe a hard drive one must at least look for a utility which meets the DoD 5220.22-M ( 3 pass).

Some Open Source Products which perform software disk wiping include:

  1. Eraser: http://www.heidi.ie/eraser/ (free)
  2. DBAN: Darik’s Boot and Nuke: http://dban.sourceforge.net/ (free)

Aging compute hard drives and other storage media are always at a risk for compromising data. Anyone making any claims that the potential costs associated with aging computer hardware is limited has not done the research.

I can only hope that everyone learns from experience that using appropriate data destruction mechanisms will prove a real bargain in the long run!

Share this:
  • Digg
  • del.icio.us
  • Facebook
  • Google
  • LinkedIn
  • Reddit
  • StumbleUpon
  • Technorati
  • TwitThis