Is It Time to Update Your IT Security Policies?

Sep 18, 2019 Blog Article

While technology developments come fast and furious, the policies that govern them often aren’t agile enough to keep up. And, when it comes to IT security policies, new technologies aren’t the only factors that can leave your standard protection methods outdated: Changes in business structure, regulation, the value of your data, the speed of data collection and increased malicious activity can also lessen their effectiveness. All of this leaves even the largest, most innovative organizations at risk.

Vivian Cullipher Vivian is a career writer and editor, having covered technology-related topics for government and B2B organizations since before LinkedIn and the iPhone. As Blancco’s head of content, she oversees the development of thought-leadership-based copy for web, social media, and other Blancco communication channels.

Updating IT Security Policies: Your Data Destruction Practices May Be Outdated

By and large, many of today’s companies have some form of policy in place to govern data sanitization and other data protection efforts at various stages. But while updating IT security policies annually is encouraged as an industry standard, that doesn’t often happen. Even when that’s the goal, policies are often changed slowly, so they’re not always based on current business requirements or technological realities. That can be especially true when it comes to end-of-life data destruction policies.

6 reasons to update your information security policies

Here are a few reasons you should prioritize updating IT security policies for your organization by end of year:

Addressing data destruction in IT security policies

IT security policies often address network and perimeter-based measures aggressively, protecting the data that’s created, stored, used and shared throughout the organization. These policies should also address end-of-life security for data and data assets, whether through archiving or disposal. Otherwise, your old data that is destined for erasure or drives that are slated for physical destruction can be unauthorized sources of information for someone looking for an opportunity.

Unfortunately, it’s tempting to rely on “tried and true” end-of-life data destruction practices without realizing that they are no longer applicable to today’s technologies. It can also be tempting to keep outdated data destruction practices that seem to be cost-efficient, but that actually set you up for much greater risk.

Below are a few outdated data destruction practices that may be in place in your current IT policy. Seek these out so you can update them to current best practices.

Outdated data destruction practice #1: Inadequate or unnecessary physical destruction of data storage devices

It’s important to note that physical destruction of data storage hardware is still a valid option when devices reach end-of-life. However, because of advances in data storage hardware, your current policy recommendations may no longer be adequate to cover all scenarios.

Additional drawbacks to these options include the fact that waste is left behind, and that the opportunity is lost to reuse, donate or recycle those devices. The good news is, data sanitization can either eliminate the need for physical destruction and allow reuse or be used in conjunction with physical destruction. This latter option ensures absolute data protection for the most risk-averse organizations with the most sensitive data.

Outdated data destruction practice #2: Ineffective data erasure methods

Your outdated data erasure policy may state that deleting or reformatting all drives is the best standard for your business, which simply isn’t true. If a company’s data sanitization policy allows the use of deep format or freeware erasure tools, major security risks arise.

Human error can also open a business to risk, and quick formatting or free data erasure tools neither adequately reach all storage sectors or provide audit-ready proof of erasure. If choice of freeware is left to employee discretion, without proper policy guidance, a poor tool could be rolled out as part of an approved process—a huge red flag for any company that takes data protection and sanitization seriously.

Automation reduces the threat of human error, ensuring complete data erasure. You must also consider what efforts respected data sanitization guidelines and best practices require when it comes to retiring devices or getting rid of old data.

Outdated data destruction practice #3: Relying on old standards of erasure.

There are a range of “standards” which dictate how best to completely erase data, and your IT policy should address these to remain compliant with current data retention, management and disposal regulations.

It’s important to remember that unless you can bridge the gap between policy and process with stringent control and a verifiable audit trail, you are practicing poor data sanitization.

See our best practice document, “[Overview] Data Sanitization in the Modern Age: DoD or NIST?” for more on comparing these two standards.

What could your future IT policy on data destruction look like?

As mentioned, IT policies must be as fluid as the industry they serve.

Security standardization around ISO 27001 and recent developments in data protection legislation—such as GDPR—have put pressure on policies to be updated, relevant and properly implemented. And, more data, near daily data breaches and changes in data storage technology mean an increased risk for unauthorized data exposure, even for old data.

Ensure your IT policies are updated regularly and comprehensively to include end-of-life data sanitization. Don’t unnecessarily risk the price of a data breach, whether it’s on your network, in archives or on drives intended for destruction.

Next steps

Originally published September 3, 2018, updated and expanded September 18, 2019, with record breach costs updated June 1, 2022.