Protecting Organisational Information
Introduction
The secure disposal or re-use of equipment containing storage media is a vital component of an organisation’s information security strategy. Ensuring that sensitive data and licensed software are removed or securely overwritten prior to disposal or re-use prevents information leakage and protects against data breaches.
Purpose of Secure Disposal or Re-Use
The primary goal of secure disposal or re-use is to prevent unauthorised access to sensitive information contained within equipment being discarded, resold, or repurposed. This includes mitigating risks associated with both operational and damaged equipment.
Guidelines for Secure Disposal or Re-Use
Verification of Equipment
Verify whether equipment contains storage media before disposal or re-use. This includes identifying all potential data storage components within the equipment.
Secure Data Destruction
Use secure techniques to destroy, delete, or overwrite information, ensuring that original data is non-retrievable. Avoid relying on the standard delete function.
Consider physical destruction for storage media containing confidential or copyrighted information to ensure irretrievable data removal. Refer to Section 7.10 for detailed storage media disposal guidance.
Removal of Identifying Information
Remove labels and markings that identify the organisation, such as classification, ownership, system, or network details. This is critical for equipment being resold, donated, or discarded.
Security Control Removal
At the end of a lease or during relocation, consider removing security controls such as access controls and surveillance equipment. This process should account for:
Lease agreements requiring the return of facilities in their original condition.
Reducing risks of leaving systems with sensitive information, such as user access lists or video/image files, for the next tenant.
Potential re-use of controls at the organisation’s new facility.
Handling Damaged Equipment
Conduct a risk assessment for damaged equipment containing storage media to determine whether physical destruction is necessary instead of repair or disposal.
Additional Considerations
Audit Trail: Maintain a record of all disposed or re-used equipment to track compliance and accountability.
Partner Selection: For external disposal services, select reputable providers with adequate controls and experience to handle sensitive equipment.
Aggregation Risk: When accumulating storage media for disposal, consider the aggregation effect where large quantities of non-sensitive information could collectively become sensitive.
Supporting Measures
Secure Data Wiping Tools: Use certified tools for securely wiping data from storage media.
Training and Awareness: Provide training for personnel handling equipment disposal or re-use to ensure adherence to organisational policies.
Key Concepts and Domains
Control Type: Preventive
Security Properties: Confidentiality
Cybersecurity Concepts: Protection
Operational Capabilities: Physical Security, Asset Management
Conclusion
Secure disposal and re-use of equipment are fundamental to protecting organisational information and mitigating risks associated with improper handling of storage media. By implementing robust verification, secure destruction, and removal processes, organisations can prevent data leakage and maintain compliance with security standards.
A proactive and structured approach to equipment disposal ensures the safeguarding of sensitive information while supporting sustainable and secure re-use practices.
Comments