Managing the Risk of Hidden Data

From Wikibon

Jump to: navigation, search

In the world of data security and privacy, we've come a long way from my days in banking. More than twenty years ago, I purchased 10 used IBM mainframe disk storage systems from a broker. They were probably 3380s. When the storage team installed the systems, they found data from one of our competitors still on the drives.

Today, at the data center level, companies, at least those in highly-regulated industries, are much more careful about erasing data or destroying drives, when data center storage systems are retired. But while that area of vulnerability and compliance exposure is better managed, others areas have gotten much worse.

Today, almost every piece of technology has an IP address. Devices have embedded data in small data caches. Here, you're looking for tiny bits of sensitive data in non-volatile memory - not the hard drives we are used to dealing with. Memory supporting phone-home capabilities may contain both IP addresses and log-in credentials, creating a back-door into corporate networks, after the asset is taken out of production. In short, the internet of things, mobility, and automated monitoring and reporting have created an internet of vulnerabilities, most of which are poorly managed.

Beyond that, organizations need better processes for documentation and reporting. Whether responding to an auditor, a regulator, a customer, or an investigator in a criminal case, it is not simply the action that matters, but the ability to prove that you took the action that matters.

Action Item: The jobs of the Chief Information Security Officer (CISO) and the head of Risk Management now extend well beyond the data center and the corporate firewall. Security in the Internet of Things includes printers, copiers, IP phones, intelligent PDUs, mobile devices, smart power, and eventually smart cars. IT Asset Disposal (ITAD) service suppliers can be important partners in managing risk. Seek ones that have a core competency in discovering and destroying embedded data, have demonstrable expertise in documentation, reporting, and chain of custody procedures, as well as asset destruction, asset re-marketing, environmental compliance, and export compliance.

Footnotes:

Personal tools