Is It Time to Update Your IT Security Policies?

By and large, many of today’s companies have some form of policy in place to govern their data sanitization efforts. The way data is collected, stored, handled and disposed of is central to modern rhetoric, with concerns over the privacy and security of customer data at fever pitch. While having some form of policy is absolutely a step in the right direction, many policies are written loosely, opening potential risk. […]

Liz Adams

Liz has been with Blancco since August 2009. As Global Marketing Director, she oversees the company’s marketing, communications and event strategies, leading Blancco’s intercontinental marketing team to support overall business growth goals and sales objectives.

By and large, many of today’s companies have some form of policy in place to govern their data sanitization efforts. The way data is collected, stored, handled and disposed of is central to modern rhetoric, with concerns over the privacy and security of customer data at fever pitch. While having some form of policy is absolutely a step in the right direction, many policies are written loosely, opening potential risk.

For example, should a company’s data sanitization policy allow for the use of deep format or freeware erasure tools, major security risks arise. The human factor is the crucial link that can open a business to risk, and quick formatting or free data sanitization tools that are human operated are not secure. When the choice of freeware is left to employee discretion, a tool with serious security flaws, or one which is entirely insecure, could be rolled out as an approved process – a huge red flag for any company that takes data protection and sanitization seriously.

It’s important to remember that unless you can bridge the gap between policy and process with stringent control and a verifiable audit trail, you are practicing poor data sanitization.

As we all know, tech is progressing and evolving at an unprecedented rate; new iterations of software and emerging hardware, such as SSDs, mean that some IT and data policies that have historically been completely sound are now redundant. Your IT policies should be as fluid as the sector they govern – an IT policy that was perfectly valid in 2006 is now archaic and must be updated to account for new technologies.

Related Article:  The IDSC’s Guide to Data Sanitization Terminology

Let’s take a look at modern-day standards of erasure.

Your outdated data erasure policy may state that deleting or reformatting all drives is the best standard for your business, which simply isn’t true. There are a range of “standards” which dictate how best to completely erase data and your IT policy should address these to remain compliant with current data retention, management and disposal regulations.

The DoD standard – from the Department of Defense – was once the most stringent guideline for secure and complete data erasure, and it may appear on your data-specific IT policy. At 25 years old, however, and having been last updated in 2006, the DoD standard is now outdated. It doesn’t consider newer technologies such as SSDs and shouldn’t form the basis of your data erasure policy. Other examples include policies recommending destruction through degaussing. However, degaussing will not effectively destroy any data on an SSD, leaving data intact and vulnerable to breach.

Certification should be a key requirement for any data erasure policy. To meet compliance requirements in many territories you must have a tamper-proof audit trail, a standard in Blancco’s suite of erasure products.

Which data erasure standards are the most comprehensive?

NIST 800-88 R1 is a popular standard and well worth the consideration to form your IT policy on data erasure. Last updated in 2014, this standard is significantly more current than others. It considers magnetic media and SSDs within its guidelines, forming a comprehensive framework for proper data sanitization. This is essential for your trustworthy reputation with customers. Reputation is invaluable; brands that take decades to build can be destroyed in minutes.

Related Article:  3 Cleaning Tips to Optimize Your Data Center Operations

What could your future IT policy on data erasure look like?

As we’ve mentioned, IT policies must be as fluid as the industry they serve. As we move into the future, we could see policies that ascertain how each data set is managed, rather than the asset that stores that data. This granular spotlight on data could see your business needing to prove secure erasure at a data level, complete with a tamper-proof audit trail. If you haven’t already started preparation for this, now is the time.

Security standardization around ISO 27001 and recent developments in data protection legislation – such as GDPR – have put pressure on policies to be updated, relevant and properly implemented. Ensure your IT policies are updated regularly and comprehensively; your business can’t afford to pay the price of a data breach, in reputation or revenue.

Discover secure data erasure with Blancco.

Enterprise Data Erasure:
Your Last Line of Defense
Download the White Paper
how to securely erase different ssds
White Paper
How to Securely Erase Different SSDs: NVMe, PCIe and More
Download Now
desktop erasure
Case Study
Globe Telecom Data Erasure Case Study
Read Case Study

Top Categories