Data Security Gap Analysis for Highly Regulated Organizations

Transcription

1 Data Security Gap Analysis for Highly Regulated Organizations Decommissioning your servers, HDDs, SSDs and other IT assets before they leave your data center can be a challenging process. Whether these assets are leased and are being returned to the manufacturer or being shipped to an IT asset disposition partner, it s important to make sure that your company and customer information is secure. In addition, keeping up with new and updated compliance regulations, while also ensuring your data center remains efficient, is a major challenge for enterprise data center managers. Use the checklists below to help your organization achieve its maximum efficiency by finding possible gaps in your data center IT asset decommissioning policies. Checklist One: Overall Best Practices for IT Asset Decommissioning From ensuring data security to getting the most value out of your assets, here are some best practices you should be following for IT asset decommissioning. Do you have a documented lifecycle process for your IT assets, including secure decommissioning at end-of-life? Are you conducting regular data security audits of your IT assets and decommissioning process? Do you consider embedded media (such as HDDs in servers) as part of the IT asset decommissioning process? Do you have a process in place to determine which assets should be physically destroyed and which can be erased and reused? Do you know the value of assets before they are decommissioned and consider this value throughout the process? Do you monitor your assets as they are upgraded and have an outlined refresh process in place?

2 Checklist One (continued) Do you know in advance if you will recycle or remarket your asset? When decommissioning assets, do you place them in a quarantined room with restricted and monitored access? Do you audit IT asset disposition providers? Do you ensure that they have the proper qualifications and processes in place to protect your company s sensitive information? Mostly Yes: You re well on your way to meeting best practices for decommissioning your IT assets. Continue to prioritize data governance best practices throughout your organization. These proactive policies help keep your customer, employee and business data secure. Mostly No: Not meeting best practices for IT asset decommissioning can put your company s information at risk. Perform regular audits of your organization s data security practices, and ensure that you re getting the most value out of your IT assets by erasing data instead of physical destroying assets whenever possible. A secure data erasure process can help you ensure compliance and build residual value around your assets. IT Asset Disposition (ITAD) Outsourcing Whether you physically destroy assets internally or partner with an external IT asset disposition vendor, there are several questions you can ask yourself to determine if your assets are at risk. When drafting written agreements with ITAD providers, do you include provisions that specify that all PII must be destroyed? Do you fully understand the ITAD vendor s policies and procedures? Has the ITAD vendor had any safety violations? Does the vendor send equipment to third party partners? Does the ITAD vendor have strong record-keeping practices (shipment records, serial tracking)? Does the vendor have the proper environmental certifications?

3 IT Asset Disposition (ITAD) Outsourcing (continued) Do you create or receive a certificate of destruction for auditing and compliance purposes? Are SSDs shredded to ½ particles or smaller to ensure data sanitization? Are all assets physically destroyed to the level of necessary compliance with data privacy regulations? Mostly Yes: You re well on your way to meeting best practices for physical destruction. Continue to prioritize data protection throughout the destruction process, and don t forget to document the destruction of every asset to achieve data sanitization. Mostly No: Not meeting best practices for physically destroying IT assets can put your company s information at risk. Keep in mind that most particle shredders cannot physically destroy SSDs to the appropriate level to achieve data sanitization and that physical destruction may be harmful to the environment. Sometimes, physical destruction is your only choice. But in many cases, software-based overwriting is an added step that can ensure your data is completely and secured removed. Data Erasure Software Not all data erasure software is created equal. Use the following questions to evaluate any current solutions, or use the evaluation to choose a future data erasure software that meets best practices and your company s unique needs. Do you see any need for erasure of LUNs after data migration or being able to target specific data in a multitenant environment? Do you see use cases to erase specific files and folders or selected Virtual Machines in your operational environment? Do you see use cases for Logical erasure of SANs to enable system to continue working after data sanitization? Does the software offer solutions for all IT assets in the data center, including servers, hard disks, SSDs, LUNs and virtual machines? Does the software provide audit-ready reporting for every erasure?

4 End-of-Life Does the software allow customizable reporting to meet your specific policies and requirements? Can the software be automated and controlled remotely? Is the software certified by all major international government and industry standards for data erasure? Is the software vendor agnostic? Can it easily integrate with your existing software and systems? Does the software offer a proven method to effectively overwrite SSDs? Does the software allow for the selection of a specific standard, based on your industry and organization s unique needs? Can the software erase several, or even hundreds, of servers simultaneously? Can the software erase servers while they are still in-rack? Does the software give your compliance and security teams access to view, save or send erasure reports? Mostly Yes: Your data erasure software is on the right track. Continue to prioritize securely erasing data throughout its lifecycle, and don t forget to document the erasure of every asset to achieve data sanitization. Mostly No: Your data erasure software is at risk of not meeting data sanitization best practices. To achieve data sanitization, data erasure software must: 1. Allow for selection of a specific standard, based on your industry and organization s unique needs. 2. Verify the overwriting methodology has been successful and removed data across the entire device, or target data (if specifically called). 3. Produce a tamper-proof certificate containing information that the erasure has been successful and written to all sectors of the device, along with data about the device and standard used.

5 Blancco Data Eraser solutions provide thousands of organizations with an absolute line of defense against costly security breaches, as well as verification of regulatory compliance through a 100% tamperproof audit trail. Our data erasure solutions have been tested, certified, approved and recommended by 18 governing bodies around the world. No other security firm can boast this level of compliance with the most rigorous requirements set by government agencies, legal authorities and independent testing laboratories. Find out how Blancco helped one multinational technology company decommission over 800 servers overnight. Copyright 2018 Blancco Technology Group. All Rights Reserved. rev