Updating IT Security Policies: Your Data Destruction Practices May Be Outdated
By and large, many of today’s companies have some form of policy in place to govern data sanitization and other data protection efforts at various stages. But while updating IT security policies annually is encouraged as an industry standard, that doesn’t often happen. Even when that’s the goal, policies are often changed slowly, so they’re not always based on current business requirements or technological realities. That can be especially true when it comes to end-of-life data destruction policies.
6 reasons to update your information security policies
Here are a few reasons you should prioritize updating IT security policies for your organization by end of year:
- Technological changes – Both software and hardware advances change the way information is used, collected, stored, archived and disposed of. If these changes aren’t taken into consideration, old methods may be being applied to your newer technologies, leading to inefficiencies, ineffectiveness and an increase in vulnerability.
- New data protection regulations – Since the European Global Data Protection Regulation (GDPR) went into effect in 2018, several other jurisdictions have implemented similar data protection and privacy laws. The GDPR affects businesses in non-EU countries as the focus of the law is to protect the privacy of European citizens—wherever they may live. It also has significant penalties, and the power to enforce them, if its rules are violated. Other laws have varying degrees of implementation, penalties and enforcement, and Gartner predicts data protection laws will continue to increase in 2020.
- Changes in the value of your data – There are two ways to look at this. The first scenario is when data becomes worth less to you: Perhaps it’s beyond its retention date, it’s old or redundant, or it’s no longer meeting a need for your business. It’s important to consider how this data is treated, especially when it may still be valuable to others. That brings us to our second scenario: the more data and data points you collect and correlate, the more your data set is worth to hackers. Recently, the IBM/Ponemon Cost of a Data Breach Report, 2019 found that the average cost per record lost in a breach was $150, with the average cost of a data breach about $3.9 million. And, as with the 2017 Equifax and 2019 Capital One breaches, historical data can be part of a hacker-accessed motherlode.
- Speed and volume of data collection – Data management has become more important as data amasses at a greater rate. Whether your services have expanded, or your data collection mechanisms have evolved to include Internet of Things (IoT) devices, wearables, online tracking mechanisms or additional data collection strategies, the more data that exists for you to manage and protect—and the more you stand to lose if you experience a breach. You also have more to store, which means your need for expensive data storage continues to grow. Unless your IT security policies cover best practices on how to retire old data and re-use data storage devices, your costs could rise needlessly.
- Increased malicious activity – The first half of 2019 has seen several notable breaches that have exposed a record-setting amount of data. While there’s an increased focus on insider threats, the bulk of unauthorized data access comes from malicious attacks from the outside, and there are no signs that will slow down anytime soon.
- Sub-par policy language – While having some form of security policy is absolutely a step in the right direction, many policies are written loosely, opening potential risk. Several areas are often left vague or unaddressed, particularly when it comes to data destruction: Who ultimately owns the data? Who is responsible for ensuring data retention requirements are met—and kicking off data disposal routines? Who owns the hardware and maintains audit-ready proof of secure and complete data erasure if those are reused or donated? Who is held responsible if old data is exposed during a breach?
Addressing data destruction in IT security policies
IT security policies often address network and perimeter-based measures aggressively, protecting the data that’s created, stored, used and shared throughout the organization. These policies should also address end-of-life security for data and data assets, whether through archiving or disposal. Otherwise, your old data that is destined for erasure or drives that are slated for physical destruction can be unauthorized sources of information for someone looking for an opportunity.
Unfortunately, it’s tempting to rely on “tried and true” end-of-life data destruction practices without realizing that they are no longer applicable to today’s technologies. It can also be tempting to keep outdated data destruction practices that seem to be cost-efficient, but that actually set you up for much greater risk.
Below are a few outdated data destruction practices that may be in place in your current IT policy. Seek these out so you can update them to current best practices.
Outdated data destruction practice #1: Inadequate or unnecessary physical destruction of data storage devices
It’s important to note that physical destruction of data storage hardware is still a valid option when devices reach end-of-life. However, because of advances in data storage hardware, your current policy recommendations may no longer be adequate to cover all scenarios.
- Degaussing – Degaussing only works on magnetized storage like hard disk drives (HDDs), and even then, it has some weaknesses. Not only does it not apply to solid-state drives (SSDs), any degausser you use must be adequate to the magnetic force of newer HDDs. If not, data can be left behind.
- Shredding – Again, shredding can be very effective. It can apply to most, if not all data storage technologies. However, because data is being stored at increasingly compressed sizes on smaller and smaller devices, the shred size must be also be increasingly small. Typically, a shred width of 1/2″ or smaller is needed to break through the small memory chips and securely remove the data. Most standard industrial shredders will only shred to 1″ particle size—leaving information behind.
Additional drawbacks to these options include the fact that waste is left behind, and that the opportunity is lost to reuse, donate or recycle those devices. The good news is, data sanitization can either eliminate the need for physical destruction and allow reuse or be used in conjunction with physical destruction. This latter option ensures absolute data protection for the most risk-averse organizations with the most sensitive data.
Outdated data destruction practice #2: Ineffective data erasure methods
Your outdated data erasure policy may state that deleting or reformatting all drives is the best standard for your business, which simply isn’t true. If a company’s data sanitization policy allows the use of deep format or freeware erasure tools, major security risks arise.
Human error can also open a business to risk, and quick formatting or free data erasure tools neither adequately reach all storage sectors or provide audit-ready proof of erasure. If choice of freeware is left to employee discretion, without proper policy guidance, a poor tool could be rolled out as part of an approved process—a huge red flag for any company that takes data protection and sanitization seriously.
Automation reduces the threat of human error, ensuring complete data erasure. You must also consider what efforts respected data sanitization guidelines and best practices require when it comes to retiring devices or getting rid of old data.
Outdated data destruction practice #3: Relying on old standards of erasure.
There are a range of “standards” which dictate how best to completely erase data, and your IT policy should address these to remain compliant with current data retention, management and disposal regulations.
It’s important to remember that unless you can bridge the gap between policy and process with stringent control and a verifiable audit trail, you are practicing poor data sanitization.
- The DoD standard– This 3-pass method from the Department of Defense was once the most stringent guideline for secure and complete data erasure, and it may appear on your data-specific IT policy. At more than 25 years old, however, and having been last updated in 2006, the DoD standard is now outdated. It doesn’t consider newer technologies such as SSDs and shouldn’t form the basis of your data erasure policy. Certification should also be a key requirement for any data erasure policy. To meet compliance requirements in many territories, you must have a tamper-proof audit trail, a standard in Blancco’s suite of erasure products, but not specified in the current version of DoD 5220.22-M.
- NIST SP 800-88 R1 (PDF)– This set of guidelines from the National Institute of Standards and Technology is a popular standard and well worth your consideration when developing your IT policy on data erasure. Last updated in 2014, this standard is significantly more current than others. It has also become a global reference document with principles incorporated into notable international standards such as ISO/IEC 27040:2015. NIST 800-88 considers magnetic media and SSDs within its guidelines, forming a comprehensive framework for proper data sanitization. It’s technology-agnostic approach means NIST sanitization can apply to all data storage devices, and its requirements for erasure verification mean you have assurance that your data has been sufficiently erased.
See our best practice document, “[Overview] Data Sanitization in the Modern Age: DoD or NIST?” for more on comparing these two standards.
What could your future IT policy on data destruction look like?
As mentioned, IT policies must be as fluid as the industry they serve.
Security standardization around ISO 27001 and recent developments in data protection legislation—such as GDPR—have put pressure on policies to be updated, relevant and properly implemented. And, more data, near daily data breaches and changes in data storage technology mean an increased risk for unauthorized data exposure, even for old data.
Ensure your IT policies are updated regularly and comprehensively to include end-of-life data sanitization. Don’t unnecessarily risk the price of a data breach, whether it’s on your network, in archives or on drives intended for destruction.
- Take time to review your IT security policy today as updating policies often take time to work through all affected stakeholders.
- For those sections that address physical destruction of hard drives, read our best practice document, “Physical Destruction vs. Secure Data Erasure,” free for immediate download. Other resources are listed below.
Originally published September 3, 2018, updated and expanded September 18, 2019.