IAITAM Preview: Auditing your hard drive retirement process

Samuel Peery

Ahead of the IAITAM Spring Conference taking place in Las Vegas, April 28 – May 1, I interviewed Samuel Peery, Director of Marketing at WhiteCanyon Software, about his presentation “Auditing your hard drive retirement process”.

In just a few words, tell us what it is you do. What does an average day look like for you?

I’m Director of Marketing and Product Management at WhiteCanyon Software, maker of WipeDrive.  I spend most of my time involved with how customers use our product and how to improve the overall customer experience.  I love investigating how our customers operations to determine best practices and how our software can improve their existing processes.

Your session at the IAITAM conference is going to look at auditing your hard drive retirement process. Why do you feel this is so important?

Auditing your process gives you a chance to step back and look at the whole picture.  It’s easy to get caught up in any one step and make myopic decisions that don’t make sense in context of the whole process.  One simple example of this is that many people look at the retirement process as only the point at which they send a computer or hard drive to a third party recycling company, when in fact the “process” may have started months ago when the last employee using the computer left the company.  By stepping back, it’s easier to see all the pieces involved and how they fit together.

Can you provide us with an example of one of the critical risk factors associated with retiring hard drives?

Another simple example is location and personnel risk.  Let’s look at a retired laptop for instance.  The moment the laptop stops being used and is designated to be retired, the clock starts ticking.  At that point it’s at risk for a data breach and you should look at all the locations it passes through as well as the people who have access to it.  If a laptop is sitting on a desk in a cubicle, there could potentially be hundreds of employees or visitors who could access it.  After it’s moved to a back room for storage, you should ask how secure the storage room is.  Who has access to the room?  Is the room locked?  It’s not uncommon for retired computers or hard drives to sit in a storage room for months, while they are batched up, before they are processed further.  If you then send your computers to a third party for processing it’s important to ask where they store computers waiting to be processed?  Are they in a locked storage area or out in the open on a warehouse floor.  What third party employees pass through the facility that might have access to your computers?  Are they certified technicians or transient part time labor?

Just because your hardware is out of sight, doesn’t mean it’s not still at risk.

What are some of the key elements of a successful hard drive retirement process?

From a security standpoint there are five main risk factors companies face

1. Velocity risk which addresses how quickly data is sanitized
2. Location risk addresses how secure each location is where drives are stored
3. Personnel risk addresses who has access to drives and data
4. Tool risk addresses the method used to either sanitize drives or physically render them inoperable
5. Third party risk addresses how secure third parties are who process drives and any security measures they take.

It’s important to address all risk factors and identify those most weak within your organization.  Looking at your processes through the lens of these risk factors helps you identify problems more easily and quickly.

What are some of the red flags in a poor hard drive retirement process?

The biggest red flag I see is when companies blindly rely on third parties for data sanitization and drive disposal.  It’s easy and convenient to just hand your drives off to a third party and assume they’ll handle drives properly but doing so is very risky.  While there are many reputable recycling and remarketing companies that take security seriously, there are also those that are more transient and take security short cuts to maintain high profits.  Asset managers need to know exactly how their assets are handled once they leave the premises. When possible we recommend making an on-site visit to the third party to see first-hand how assets are handled.

What would your advice be to someone if they don’t even have a hard drive retirement process to begin with?

My advice would be similar to someone auditing an existing process: focus on areas that give you the greatest security enhancements. For someone just starting, probably the best step they can take is to systematically ensure all hard drives are sanitized as soon as they are marked as retired.  From a security standpoint this will give you the most peace of mind.

What do you think the biggest challenge is that people face when it comes to data sanitization? How do you recommend overcoming this challenge?

The biggest challenge with data sanitization is people using improper tools such as non-certified software.  Freeware software doesn’t wipe the entire drive and misses hidden drive sectors.  It also doesn’t provide audit logs so you can prove the data has been sanitized.  It’s vital to track any efforts taken to sanitize data for your own legal protection but also to ensure no drives are missed.

If you could only give one piece of advice when it comes to hard drive retirement what would it be?

The most important risk factor is velocity risk, or how quickly data is sanitized.  If data is sanitized at the beginning of your retirement process, you completely eliminate any risk of data compromise downstream.  In essence, placing sanitization at the beginning of the retirement process covers a multitude of sins and weaknesses later in your process.

From a data security perspective, it won’t matter how secure your process is, how many people access your drives, or where you store them because the data is no longer there.  In contrast, if sanitization takes place at the end of your retirement process you now have to take measures to ensure the data is safe at each step of the process.  This leads to not only less efficient processes but also increased costs because you have to invest in secure storage facilities and use more expensive forms of shipping that track chain of custody, among other things.  We like to say, remove the data, remove the risk.

What is the most important lesson you have ever learned when it comes to ITAM?

As I mentioned earlier, don’t lose sight of the big picture by focusing on any one step too much.  Your retirement process is only as strong as your weakest link so focusing on one step while neglecting others may not be in your best interest.  The one exception is moving sanitization to be the first step of your process.

Any final pieces of advice?

Take advantage of the resources IAITAM offers.  There is a wealth of information that is available for newbies and veterans alike to help you navigate the terrain.