Weapons of mass data destruction

What's the best way of securely disposing of your enterprise's sensitive data? Davey Winder investigates...

Whether you opt for in-house or outsourced disposal, you should by now have realised it really is imperative procedures for the secure disposal of data, including the hardware upon which that data may reside, are included as part of your enterprise information security policy.

 This cannot be overstated, and that policy should form the base for all data erasure and hardware disposal procedures. It is also essential, as nicely highlighted by the NHS Surrey case we previously mentioned, that data erasure and hardware destruction are not treated in isolation.

If the company doing the disposal had followed a documented process of logging actions as they were performed,  and had first erased the data and then destroyed the hardware, that Trust would have been 200,000 better off.

 While it is a given that implementing a method of secure data erasure and physical destruction of the drive in combination is going to provide the most reliable method of permanently disposing of data, we cannot state categorically that this is the most sensible option for everyone.

Advertisement - Article continues below

It is essential, therefore, that any data disposal policy includes a method of classifying data and categorising it in terms of confidentiality and value.

Common sense must prevail.  While all data may be equal when it comes down to bits and bytes, when it comes to data value, then some is more equal than others. It is essential, therefore, that any data disposal policy includes a method of classifying data and categorising it in terms of confidentiality and value.

Government bodies use a system of Impact Levels that classify data as being from IL1 through to IL5, and the disposal methodology varies according to the classification it bears. This may sound a little secret squirrel for your average company, but the principle is perfectly logical.

There is no point hiring a van with an industrial shredder on the back (yes, they do exist) that will all but disintegrate any drives thrown through it if the data involved could be safely degaussed or overwritten to prevent it being read when the drive is reused.

The cost efficiency side of data destruction shouldn't be overlooked either. If your data can safely be erased without a regulatory requirement for the drive it was sitting on to be vaporised, then it makes sense not to destroy it.

After all, a computer with a functioning hard drive has a greater resale value on the second hand market if you take that route with old equipment, and a functioning drive can often be repurposed within the business as well.

Finally, ensure your data disposal policy is kept up to date and covers all bases. By that we mean an end-of-life policy must consider all methods of data storage from desktop and LAN drives through removable media, mobile devices and the cloud. The latter will, of course, open up a whole new can of regulatory and practical worms, but that's an IT Pro story for another day.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now

Most Popular

Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019

Five signs that it’s time to retire IT kit

29 Nov 2019
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019