Will data growth overwhelm your data sensitivity policy?

Most conversations with End User Computing service providers noticeably center around service catalogs and service levels. In the heat of the discussion, there is one topic that sometimes gets neglected – Media Sanitization i.e. how is erasure of data dealt with after media is recycled.

And while firms are focusing on immediate insight coming from constantly growing information stores, Media Sanitization grows in importance.

Sometimes such a conversation ends with the realization that the guideline for data erasure and media sanitization has not been fully thought through. This goes beyond decisions about what happens to the data on laptops, phones and other devices after their time is up. What about the application data residing in your data centre? If you have a BYOD approach, this gets even more complex. Think of the implications if you have an in-house mobile application that accesses a CRM solution installed on the iPhones of your employees.

 

Cleaning

Media sanitization as a topic cannot be delegated to the infrastructure provider management. You need a holistic approach towards data erasure. The journey starts much earlier – the concept for data erasure should play an important role in your storage, labelling and media reuse strategy.

 

The Levels of Data Removal

Richard Kissel from NIST makes the case for three types of data removal – this is directly related to the Types of Sensitive Information you might identify for your organization:
a) Clear – where you erase the data on the device, but a tool like Unerase can easily recover this deleted data,
b) Purge – where you use much stronger cryptography (logical) or even physical means to remove data so that it cannot be recovered even by using state-of-the-art laboratory techniques. But the media can be reused and handed over internally to other employees or even externally via a shared device pool.
c) Destroy – where you not only purge the data, you also destroy the media storage device permanently so that it can no longer save data or be read. This is potentially your option for highly sensitve data.

Design data storage for Erasure

  • The best way to setup the framework for clean data removal is to label data when it is created.
  • Create a Data Sensitivity Classification Matrix.
  • The nature of the data should guide multiple decisions: How data is handled, where is it stored, on what devices and in what ways is it made available, and ending with how it is expunged.
  • Based on what data the media has been carrying, you also need a policy on whether this storage medium gets reused, recycled or even in extreme cases destroyed permanently.

Make it easy to decide

  • Setup easy to understand guidelines for criteria for labelling data and categorizing the security level. Draw inspiration from the Guidelines for Media Sanitization from NIST.
  • Ensure that your operations and processes can identify and carry out the necessary steps – based on whether it should be cleared, purged or destroyed after the storage media reaches the end of its lifecycle or exchanges hands?
  • Go beyond the devices that you control – look into your BYOD approach to decide what services you will make available.

Verify and leave an Audit Trail

  • If you are in a conversation with your data storage provider, guide your provider so that he understands your purging processes, what actions are required and what triggers these actions. Build this into the Statement of Work; it is not enough to add an Addendum in the contract with your data security guidelines.
  • Your erasure methodologies should leave a paper trail that documents all the actions as per the erasure guidelines.
  • An additional spot check periodically by an auditing department will additionally ensure that such erasure guidelines are being kept.

In a world with constantly increasing data being created and stored in myriad storage mediums, media sanitization is critical and unfortunately neglected. Early actions that you can take now to fix such potential leaks will go a long way in ensuring that your data sensitivity needs are covered.

Have you taken care of your Media Sanitization requirements?

 

photo credit: inf3ktion via photopin cc

Speak Your Mind

*

Wordpress SEO Plugin by Wordpress SEO Plugin
%d bloggers like this: