Organizations must ensure that the process for the disposal or re-use of equipment is strictly controlled.
The improper disposal or re-use of any information system, system component, or storage device could potentially impact the confidentiality of data by inadvertently making it available to unauthorized audiences. This could easily result in a reportable security incident or data breach. The secure disposal and re-use of information assets is the focus of pitfall #26 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
All media should be disposed of safely and securely when it is no longer needed. This should be performed using formally documented procedures to ensure that any protected or otherwise sensitive data has been completely removed or securely overwritten prior to media disposal.
Information systems or other devices that contain sensitive or protected information should be physically destroyed or the information must be destroyed, deleted, or overwritten using techniques to make the original information non-retrievable. These techniques must remove the original data permanently, rather than using the standard delete or disk formatting functions. It is highly recommended that your organization holds all devices or media scheduled for destruction locally until the materials are destroyed or shredded onsite by an approved internal process or external provider.
There are many reputable service providers available to perform shredding and destruction services on-site at your organization’s location. While there is a cost associated with these services, this service is their core competency. You may find that their secure handling, on-site destruction, and delivery of Certificates of Destruction to your organization is worth the investment after a quick cost-benefit analysis.
If your organization doesn’t have a handle on IT asset inventory, look into active and passive discovery tools to help you maintain and update the inventory. If you don’t have the resources to manage it on your own, the ASCENT Portal can help your team identify, document, and maintain assets.
To learn more about this pitfall, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.