How well do you know where your sensitive company data is, and how well do you think your employees care for it?...
Here is a true story that might make you revisit your data destruction policies.
It started out as a simple task: to buy some new file cabinets for my home office. I walked into a used office furniture store and was directed to a back warehouse with at least 200 filing cabinets. I opened a few drawers to test their sturdiness, and, to my surprise, came across microfiche and CDs that obviously contained a company's billing and customer records.
As I am a CISSP and had just gone through a major data cleanup effort at my previous company, I was shocked. How could this happen? Why would a company not make sure that old office furniture was completely empty of company/client data?
Fortunately for the company whose data I found, I knew someone who worked there. As soon as I got home, I got in touch with this person, and, a few days later, was able to point one of the company's employees to the data payload I'd discovered. We filled up two office paper boxes of microfiche and CDs full of their billing and customer records.
What might have happened if the person who discovered the data was malicious? He or she may have tried to blackmail the company or even gone to the local newspaper. In either case, the reputational damage would have been a huge headache and most likely led to loss of customers, whether existing or new. Such a data breach can also result in compliance violations with any or all of the following federal and state regulations:
- HIPAA (Health Insurance Portability and Accountability Act)
- GLBA (Gramm-Leach-Bliley Act)
- FISMA (Federal Information Security Management Act)
- FACTA (Fair and Accurate Credit Transactions Act)
- OMB Memo (M06-16)
To begin creating a data destruction policy and awareness program for your company, first, identify the types of data your company has and where it resides. Your data retention policy should help you with this endeavor by indicating where both physical and electronic data is stored and for how long. The data destruction policy needs to address how to get rid of the data once it has met the expiration criteria in the data retention policy. You may want to investigate the legal aspects of the data as well by engaging your legal team, and this might also be a good time to discuss with them the processes of reporting a breach of data.
There are many examples of policies on the Internet. NIST Special Publication 800-88 (.pdf) in particular is a good resource for data destruction policies.
Employee awareness of data destruction policies should be addressed within the context of a security awareness program. Employees should be trained on what to do with old physical data and, if they are unsure, to direct questions to management. It would be a good idea to make sure that employees who handle the physical data on a regular basis be trained first. Provide employees with easy access to company security policies, either on the company intranet or in a quick reference manual. I recommend an annual review and employee sign-off on policy understanding as a good reinforcement tactic. Also consider having security and company policy awareness as part of individual employees' annual goals and objectives.
Now as for me, I think I will go look for used computers next. What could possibly go wrong with that?
About the author:
Kevin J. Mock, CISSP, has over twenty-five years of professional experience in Information Technology and Information Security. Over the last 13 years, he has held various global leadership roles within information security related to the management of technology risk for a large financial services company. Areas of focus include information security practices, vulnerability management, perimeter security, intellectual property protection, and IT infrastructure management. Kevin received his bachelors degree in computer science from Northern Illinois University.