4 Practical Steps to Building a Data Destruction Policy for Your Business
Data security has become one of the highest priorities for business owners throughout the country in recent years. Reading about high profile cases of data breach, whether they were caused maliciously or accidentally, can make any business owner nervous. Could it happen to your business? While it’s impossible to completely remove the risk of data breach, there are steps you can take to significantly reduce that risk. Taking these steps to build a secure and reliable data destruction policy will help you avoid paying costly fines, dedicating time and resources to efforts to mitigate the damage, and suffering the embarrassment and loss of customer confidence associated with a data breach.
1. Identify the possible sources of data breach
Data breach, whether accidental or malicious, can be caused by any number of circumstances. In some cases, employees have simply misplaced laptops or other pieces of equipment that contain sensitive information. Other times, hackers infiltrate a business’s network and steal sensitive information. These are both relevant scenarios to plan for. One source of data breach that sometimes goes overlooked, however, is the process through which a business disposes of its used and retired IT equipment. Retired IT assets pass through a number of hands and/or locations before reaching their final disposition—usually recycling or remarketing. Without a secure and reliable asset tracking and data destruction procedures in place, data bearing devices could get out of your control.
2. Choose a data destruction method
Whenever your business sends equipment out to be recycled or resold, the sensitive data stored on hard drives and other storage media must be removed beyond any hope of recovery. One way to do this is to destroy the drives physically. This usually involves crushing or shredding equipment. However, wiping the data from the drives (data sanitization) while still allowing for their reuse is sometimes a more cost-effective method, especially if you plan on recovering some of your investment in the equipment on the resale market. In the data destruction industry, the NIST 800-88 standard is the reference to ensure data has been completely removed from a hard drive. (Prior to NIST 800-88, most people referenced DoD 5220.22-M). Take note, though, NIST 800-88 is not a government certification, it is a standard. And it only specifies the actual destruction method. To be sure your vendor is following a highly reliable standard like NIST 800-88, as well as industry best practices for overall secure destruction of your data, look for a certification from a leading third-party organization, like the National Association for Information Destruction (NAID).
3. Look for NAID AAA certification
Partnering your business with a NAID AAA certified vendor might be the most significant step you take in your data destruction policy. When a data destruction provider has received AAA certification from the National Association for Information Destruction (NAID), either for on-site or plant-based data sanitization, it shows that vendor has undergone a rigorous auditing process and has demonstrated its facilities, employees and data destruction practices meet the highest standards. These vendors will be compliant with NIST 800-88.
4. Make data destruction part of your complete IT asset disposition plan
The process through which your business disposes of its retired IT assets includes many steps and many moving parts. For the most secure process, each step should be planned ahead of time, so everyone in your business knows the proper procedure for IT asset disposition and their place in it. Data destruction should be an integral part of this procedure.
There is a lot of confusing information out there about data destruction. We’ve tried to dispel some of the more common myths in our free document, “10 Myths About Data Erasure.” Download this resource today by clicking on the image below.
More Tech articles from Business 2 Community: