ISO 27001:2022 A 7.14 Secure disposal or re-use of equipment

Uncategorized 9 Minutes

Organizations must ensure that the process for the disposal or re-use of equipment is strictly controlled. The improper disposal or re-use of any information system, system component, or storage device could potentially impact the confidentiality of data by inadvertently making it available to unauthorized audiences. This could easily result in a reportable security incident or data breach. All media should be disposed of safely and securely when it is no longer needed. This should be performed using formally documented procedures to ensure that any protected or otherwise sensitive data has been completely removed or securely overwritten prior to media disposal. Information systems or other devices that contain sensitive or protected information should be physically destroyed or the information must be destroyed, deleted, or overwritten using techniques to make the original information non-retrievable. These techniques must remove the original data permanently, rather than using the standard delete or disk formatting functions. It is highly recommended that your organization holds all devices or media scheduled for destruction locally until the materials are destroyed or shredded onsite by an approved internal process or external provider.All items of equipment including storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. This is another area of common vulnerability where many incidents have arisen from poor disposal or re-use practices.If equipment is being disposed of that contained sensitive information, it is critical that data bearing devices and components are either physically destroyed or securely wiped using appropriate tools and technologies. If equipment is going to be re-used it is important that any previous data and potentially installed software is securely “wiped” and the device returned to a known “clean” state. Depending on the level of sensitivity of data contained on equipment being destroyed it may be necessary to ensure physical destruction and this should be done using a process that can be fully audited.

Control

Items of equipment containing storage media should be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

Purpose

To prevent leakage of information from equipment to be disposed or re-used.

Implementation Guidelines

Equipment should be verified to ensure whether or not storage media is contained prior to disposal or re-use. Storage media containing confidential or copyrighted information should be physically destroyed or the information should be destroyed, deleted or overwritten using techniques to make the original information non-retrievable rather than using the standard delete function. Labels and markings identifying the organization or indicating the classification, owner, system or network, should be removed prior to disposal, including reselling or donating to charity. The organization should consider the removal of security controls such as access controls or surveillance equipment at the end of lease or when moving out of premises. This depends on factors such as:

  1. its lease agreement to return the facility to original condition;
  2. minimizing the risk of leaving systems with sensitive information on them for the next tenant (e.g. user access lists, video or image files);
  3. the ability to reuse the controls at the next facility.

Other Information

Damaged equipment containing storage media can require a risk assessment to determine whether the items should be physically destroyed rather than sent for repair or discarded. Information can be compromised through careless disposal or re-use of equipment. In addition to secure disk deletion, full-disk encryption reduces the risk of disclosure of confidential information when equipment is disposed of or redeployed, provided that:

  1. the encryption process is sufficiently strong and covers the entire disk (including slack space, swap files);
  2. the cryptographic keys are long enough to resist brute force attacks;
  3. the cryptographic keys are themselves kept confidential (e.g. never stored on the same disk).

Techniques for securely overwriting storage media differ according to the storage media technology and the classification level of the information on the storage media. Overwriting tools should be reviewed to make sure that they are applicable to the technology of the storage media.

IT equipment should be maintained properly and disposed of securely. Information stored in equipment being disposed of, redistributed, or sold must be securely removed to prevent the disclosure of the information to unauthorized parties. All equipment containing storage media should be checked to ensure that sensitive data and licensed software have been removed or securely overwritten prior to secure disposal.all equipment has a life cycle, after which it is necessary to get rid of it. Be careful with this point: remember that your organization’s information is stored on computers/servers, and it can remain there even if you believe you have removed it. Therefore, to avoid possible leakage of information in computers that are reused or eliminated, you should safely dispose of the information (through software), or physically destroy the hard drive that contains the information. If you want to add an additional layer of security, you can encrypt the information before destroying it – in this way, in the hypothetical case that someone could recover the information through some mechanism, they would then have to decrypt it. Organisations should take following into account for compliance:

1.A proactive approach should be adopted: Before disposal takes place or the equipment is made available for reuse, organisations must confirm whether the equipment contains any information assets and licensed software and should ensure that such information or software is permanently deleted.

2. Physical destruction or irretrievable deletion of information: The two methods by which the information contained in equipment can be securely and permanently removed:

  • Equipment hosting storage media devices that contain information should be physically destroyed.
  • Information stored on the equipment should be erased, overwritten, or destroyed in a non-retrievable manner so that malicious parties cannot access information.

3. Removal of all labels and markings:Components of the equipment and the information contained in it can have labels and markings that identify the organisation or that disclose the name of the asset owner, network, or information classification level assigned. All these labels and markings should be irretrievably destroyed.

4. Removal of Controls: Taking into account the following conditions, organisations may choose to uninstall all security controls such as access restrictions or surveillance systems when they vacate facilities:

  • The terms of the lease agreement related to conditions on which it needs to be returned.
  • Eliminating and mitigating the risk of unauthorized access to sensitive information by the next tenant.
  • Whether the existing controls can be reused at the next facility

5. Damaged Equipment: When damaged equipment containing information is sent to repair, it may be exposed to the risk of unauthorized access by third parties. Organisations should carry out a risk assessment taking into account the level of sensitivity of the information and consider if destroying the equipment is a more viable option than repair.

6.Full-Disk Encryption: While the full-disk encryption technique greatly minimizes risks to the confidentiality of information, it should adhere to the following standards:

  • Encryption is robust and it covers all parts of the disk, including slack space.
  • Cryptographic keys should be long enough to prevent brute force attacks.
  • Organisations should maintain the confidentiality of cryptographic keys. For example, the encryption key should not be stored on the same disk.

7. Overwriting Tools:Organisations should choose an overwriting technique taking into account the following criteria:

  • Level of information classification assigned to the information asset.
  • Type of storage media on which the information is stored.

An important input for media disposal is information classification. A lot of companies classify their information, because not all media have the same information, and not all of the information has the same value for the business. For example, there is a big difference between a USB pen drive containing a PDF file with a presentation of the business (which can be considered public information), and a USB pen drive containing the company’s database of clients (which can be considered confidential). If the information is public, we can share it in the public domain, because there is not a risk of confidential information leakage. But, if the information is not public (confidential, restricted, internal, etc.), we need to store and dispose of it in a secure way, because it can carry a risk of confidential information leakage, which can destroy the business, as well as showing noncompliance with legal regulations .

Besides handling confidential information securely, there are other reasons for secure asset and media disposal. They may appear to be simple activities, since we generally only dispose of things that we deem no longer needed or not valuable. However, thinking about environmental recycling activities, you can see that what is worthless to someone can be highly valuable to someone else. The same applies to information. Some piece of information we consider not valuable can lead a competitor to gain a business advantage, a criminal to explore an organization’s weaknesses or, worse, cause damage to a customer or person’s life by using personal or private information to commit a crime posing as those persons. No less important, in some cases clients and potential business partners ask for a hard drive destruction certificate. Equipment containing storage media shall be verified to ensure it is free of sensitive information prior to disposal or re-use As other forms of control, secure disposal should be supported by an organizational policy.

  • Disposal procedures should be proportional to the information classification level: The higher the classification, the greater assurance that information cannot be retrieved after disposal. Shredding or incineration of the media, or data overwritten, are examples of good practices.
  • Clear identification of Information that will require secure disposal: By the use of watermark, or colored border, it is easier for someone to identify the information that should be securely disposed.
  • Dispose media mixing different types: The greater the mix of different items (e.g., CD’s, HDD’s, paper, etc.) the harder is to recover a specific media, and more secure.
  • Control access to accumulated media for disposal: A large quantity of non-sensitive information together can make it possible to retrieve sensitive information (aggregation effect). E.g., a great number of old published market reports put together may allow someone to figure out a trend related to a sensitive market strategy. Think about defining a short accumulation period or small storage volume to execute the disposal procedures.
  • Keep traceability of sensitive disposed items: To ensure the items were properly disposed, you should keep log information listing, at a minimum, who performed the procedure, when, and what method was used.
  • Equipment verification prior to disposal or re-use: You should verify whether or not storage media is contained within the equipment (e.g., hard drive or memory chips). You could use a disposal checklist to ensure critical elements are verified.
  • Use of non-retrievable methods: Physical destruction (e.g., by grinding or shredding) or overwriting techniques, with specific or generic patterns, should be used to perform disposal of highly sensitive information.
  • Evaluation of damaged equipment: Sometimes damaged devices need to be sent to external parties to be repaired. In these situations, the device should be assessed for sensitive data to determine whether the items should be physically destroyed rather than sent for repair or discarded. ISO 31010 presents a good list of risk assessment techniques which can be used.

Sometimes the volume of items, or the technical requirements for disposal, makes the use of specialized organizations a good option, but care should be taken in selecting a suitable organization. Criteria you should consider are how it manages its security, disposal methods used and experience with your industry. Be sure to include all this in the service contract. There are many reputable service providers available to perform shredding and destruction services on-site at your organization’s location. While there is a cost associated with these services, this service is their core competency. You may find that their secure handling, on-site destruction, and delivery of Certificates of Destruction to your organization is worth the investment after a quick cost-benefit analysis.

5 tips for media disposal

  • Physically destroy the media. You can do this, for example, by incineration or shredding, etc. This physical destruction is also applicable to damaged devices. But, be careful, because a damaged media device can also have sensitive information that could be restored, so to avoid this, you should destroy it physically.
  • Securely delete the information. There are software tools that you can use to overwrite the information, or to delete it in a secure way.
  • Select an external party. There are a lot of companies providing the service of destruction of your media, but here you need to take care with the selection of the provider by defining a non-disclosure agreement.
  • Avoid the aggregation effect. It is better if you avoid having a lot of media containing non-sensitive information, because something within the group could become sensitive information.
  • Register the disposal: Registering the disposal provides you with useful information for audit trails (what media has been destroyed, or what media is reusable, etc.).

Tips for Hard drive disposal

  • Encrypt the entire hard disk, using a strong algorithm and using a lengthy password.
  • Delete all the information in a secure way, using software solutions (there are a lot of free solutions).
  • Physically destroy the media device (incineration or shredding, etc.).
  • In reality, this method would only be applicable to the most critical and sensitive data, and for data with less criticality, only one of these methods will be enough.

Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion is also welcome.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply