How To: Implement A Process for Secure Data Destruction

How To: Implement A Process for Secure Data Destruction

Another day, another data breach. Data protection and privacy concerns are putting organizations under extreme pressure.
While network administrators often feel comfortable with their strategies protecting their IT hardware connected to their network, it is their decommissioned hardware that they remove from their network they are not so sure about. And when the average cost of a data breach in 2020 exceeds $3 million, I start getting asked many questions on how to protect their unused IT assets.

So here are a few simple steps an organization can do to help minimize risk and prevent any financial or reputational damage resulting from reckless handling of their decommissioned hardware.

Implement a Data Destruction Policy Procedure. This can be done by creating a document that contains the necessary steps to perform secure and compliant data destruction. The procedure should include the different types of storage media at risk and how these data devices will be destroyed to NIST 800-88 specifications. It should also list the individuals responsible for carrying out
the procedure.

Perform Due Diligence on all 3rd Party Vendors.

Third-party breaches account for over half of all data breaches in the US, according to the Ponemon Institute.
– Verify they offer a secure chain of custody throughout the process​.
– Verify they have documented data destruction procedures in place.
– Verify they maintain all records and evidence of data destruction, including recording serial numbers of data containing devices.
– Verify the third-party vendor meets NIST 800-88 specifications.
– Verify they are certified to R2, e-Stewards, or NAID and are audited yearly.
– Verify they maintain insurance in case of a data breach​​​​.

Have Contacts in Place for Third-Party Vendors. Insure clauses are in place for verifiable data destruction on all data-containing devices. At the completion of a project, the vendor should supply a Certificate of Destruction / Sanitization and a serialization report of the devices of which the data was destroyed.

Maintain Records. This is best accomplished by creating a “Records Retention Table or Calendar.” Evidence of data destruction often needs to be kept for a specific period to comply with regulatory statutes. A records retention table will ensure you have kept the documented evidence of data destruction for regulatory purposes.

At Adams Cable Equipment, we take pride in ensuring our clients have the peace of mind they deserve when it comes to data security. Our safe, certified approach is vetted by third-party auditors and covered by our million-dollar insurance policy. We have your back!