Determining an Enterprise-Class Data Erasure Strategy PDF Print E-mail

There are several components that comprise an effective enterprise-class data erasure strategy. Some of the critical questions to ask and essential criteria to consider when developing data leak prevention and asset disposal policies include:

Regulations - what specific industry regulations or legislation (e.g. GLB, PCI, HIPPA, and FACTA) is our  organization subject to and what are their requirements for data and IT asset disposal?

Internal Policies - do we have written policies that reflect these requirements? Is our organization able to effectively enforce those policies?

Audit-Related Factors - are any of our existing policies and practices auditable?

Many corporate IT departments use simple overwriting functions available in many disk utilities. However, these tools may have significant drawbacks which could compromise an organization’s security. Highly effective enterprise-grade overwriting software must have the following functions and capabilities in order to ensure the integrity of the data sanitization process:

Security & Performance:

Compatibility - a compatibility with, or capability to run independent of, the OS loaded on the drive.

Independence - the capability to run independent of the type of hard drive being sanitized (e.g., Advance Technology Attachment (ATA)/Integrated Drive Electronics (IDE) or Small Computer System Interface (S CSI) type hard drives).

Overwriting - a capability to overwrite the entire hard disk drive independent of any Basic Input/Output System (BIOS) or firmware capacity limitation that the system may have.

Detection - a capability to detect, report and overwrite locked and hidden sectors such as HPA, DCO, remapped sectors as well as wiping hot spare hard drives in RAID configurations.

Reporting & Auditability:

Certification - a capability to provide the user with erasure certificate/report indicating that the overwriting procedure was completed properly.

Hardware Configuration - a capability to identify and report vital HW configuration information with computer serial numbers and asset tags.

License Harvesting - a capability to identify and report e.g., main SW serial keys for license harvesting.

Digital Signatures - a capability to ensure report’s integrity with digital signatures.

Integration of Data - a capability to provide means for easy report integration e.g. to asset management systems.

Finally, a qualified service provider should have the following attributes:

  • They must be insured (a minimum of USD 1 million).
  • They must be reputable and use proven software and operational techniques.
  • They must have certified engineers for onsite and support.
  • They must be able to provide certificates that include serial numbers.
  • They must be able to provide erasure reports to verify each disk that has been erased.
  • They must provide alternatives for both software based erasure and data destruction with an ability to combine solutions to keep operating costs low.
  • They must be able to provide references.

Did You Know

arrow Identity theft is the top consumer complaint in the USA according to the Federal Trade Commission.

arrow US consumers reported fraud loss totalling more than $1.1 billion in 2006.

arrow Credit card fraud (25%) was the most common form of reported identity theft in the US in 2006.

arrow More than 100 000 people are affected by identity theft each year in the UK

arrow According to Privacy Rights Clearinghouse, more than 350 data loss incidents involving more than 140 million records have occurred since February 2005

arrow Organisations are obliged by law to take take adequate steps to ensure the proper disposal of data



Now: 2018-11-14 06:12

Who's Online

We have 20 guests online
You are here  :