Don't Skip File and Disk Shredding Steps

Ralph DeFrangesco

Technology changes very quickly today; at this point, the technology refresh curve for most companies is three to four years. That means that hardware -- PCs and laptops specifically -- are upgraded every few years. But what happens to all of the data on the hard drives when the hardware is upgraded? This should be of particular importance to IT executives because they could have a potential liability on their hands. Remember, data is never really erased when you delete it. In the hands of an expert, data on a hard disk can easily be recovered.

 

The Internet, news and blogs are filled with stories of companies and individuals that have retired hard drives only to find the information come back to haunt them. Some companies are required to retain and ensure access to information for years. Companies operating in highly regulated industries are required to provide reasonable protection of sensitive data, such as health care organizations working according to HIPAA regulations.

 

There are many cost-effective solutions for destroying data on a hard drive. Hard drive shredding is a cottage industry that has emerged just for this reason, in fact. Companies will come to your site with a mechanical shredder mounted on the back of a truck. The company records the hard drive's serial number, shreds the drive, and gives you a certificate stating that it was destroyed, by whom, and on what date.

 

There are also many free and commercial off the shelf (COTS) software packages that allow users to electronically shred files on their hard drives. File Shredder is an application released under the GNU license that allows the user to permanently remove files from a hard drive. Best of all, it's free.

 

Secure Clean is a commercially available product that is reasonably priced, easy to use, and designed to permanently remove files. Secure Clean includes free upgrades, a cleaner scheduler, and the ability to wipe Google, MSN and Windows Explorer search items.


 

I am often embarrassed as an IT professional when I hear that data was not taken off a discarded hard drive. With the technology that exists today, there is no reason, even from a financial perspective, that information is not destroyed prior to retiring a hard drive.



Add Comment      Leave a comment on this blog post
Dec 9, 2008 10:23 AM Jason Hall Jason Hall  says:
Ralph,I agree with your comment that it is embarrassing (as an IT professional) to learn of companies that have not disposed of data accordingly. I think the problem continues to lie with IT overall, not corporate. We operate in an environment where corporations put trust in their IT Departments, but IT Departments are not taking this responsibility seriously. It is no wonder that IT leadership, such as CIOs, CTOs, etc are on the downslide. What value do they bring if they are not effectively managing an organizaiton's business and technology requirements. I believe that is one reason you see more companies leaning to contract and not permanent placement. Perhaps you can address the role of CIO in an organization and how statistics show its rise or drop over the last few years. Thanks for the post.Jason Hall Reply
Dec 9, 2008 12:06 PM Todd Glassey Todd Glassey  says:
So then what do you do about people like DELL computer who's service policy requires that you return each replaced disk-drive to them. The problem is of course this implies that the content was capable of being wiped without updating or rebuilding the controller firmware. Since many disk failures will require the destruction of the media since it cannot reliably be wiped this means that the service policies of those larger carriers like DELL and HP need to be properly adjusted to adderss these requirements.Todd Glassey Reply
Dec 10, 2008 12:31 PM Partha Partha  says:
Dear Ralph,The issue you have stated is a challenge and sometimes a nightmare for most of the InfoSec professionals.Many a times, even after repeated reminders, the organization is not responding as it looks only on the investment to be made to procure the assets but does not look into the value of data.This tendency leads to an utter failure in safeguarding the data - as it stated "If you fail to Plan, then you plan to Fail - Anonymous" for a BC but, this statement fits for all situations, where there is a failure to protect - it may be in terms of associate, assets, infrastructure, process, technology, etc.,Thanks for the nice post and the pointers you brought in - certainly, it helps the InfoSec Professionals to once again remind the organization to ensure protection of sensitive data with due disposal and destruction modes.Have a nice day and keep posting the good learnings for the benefit of society.Regards,Partha Reply
Dec 12, 2008 10:50 AM Ralph DeFrangesco Ralph DeFrangesco  says:
Todd,Great point. I still think that you have an option even if you can't access the disk to wipe it. I know people who have used magnetic erasers. They have had very good results using this method. For the home user it may not be feasible. In that case you can try an earth/permanent magnet. Thank you for pointing out this issue.-Ralph Reply
Dec 12, 2008 10:54 AM Ralph DeFrangesco Ralph DeFrangesco  says:
Partha,Thank you for your post. I totally agree with your comment about planning and that most companies do not have a plan for proper data removal or disk disposal.-Ralph Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 
Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data