Asset End of Life: Where Enterprises Make Mistakes
Many enterprises neglect PC end-of-life issues; these enterprises are not adequately protecting enterprise data and are not taking the proper environmental precautions when retiring PCs.
Corporations frequently, even if inadvertently, neglect PC end-of-life issues by paying regional recyclers or hardware vendors to remove old hardware. Unfortunately, this action does not ensure that sufficient recycling methods are employed to reduce landfill waste. Also, IT executives often fail to validate that the proper or most effective data cleansing, destruction and/or retention techniques are employed. This means that many enterprises are not taking the proper environmental precautions and are not adequately protecting enterprise data when retiring PCs.
Pending legislation at the local, state, federal and international levels will make existing statutes more stringent, and enterprises soon will face increased penalties, requirements and scrutiny when disposing of enterprise assets. Therefore, wise IT executives make it their business to understand end-of-life requirements for data and environmental legislation, and to build forward-looking, defensible PC-disposal strategies that minimize corporate costs and risk exposures.
Issues that businesses should attend to:
- Enterprises that select their PC recycling vendors based primarily on incidental factors, such as cost or geographic locality, taking significant risks. Effective PC recycling requires appropriate data cleansing, as well as “de-manufacturing” capabilities that minimize landfill contributions. IT executives who believe transfer of ownership certificates provide appropriate risk mitigation are falsely informed, and executives should be aware that corporations could be liable for assets many years after those assets are retired. Electronic waste regulations are gaining traction at all levels in developed nations, and hefty lawsuits for improper disposal are likely to be widespread within the next three to five years. IT executives should ensure that selected disposal firms perform the proper de-manufacturing and recycling procedures, should enforce procedures by scrutinizing vendors and their business partners, and should build an audit trail to ensure that landfill dumping is minimized and safe.
- Cost is frequently the fundamental criterion enterprises use when considering how and with whom to outsource recycling efforts. Unfortunately, there can be a direct relationship between recycling costs and the rigorousness of the asset-disposition procedures, particularly in the area of data cleansing. IT executives should pay particular attention to which techniques are used to remove data, as vendor procedure descriptions may be misleading. Furthermore, it is essential to verify that the removal procedures specified in contracts are adequately followed. In addition, IT executives should require vendors to capture critical data electronically in order to demonstrate that best efforts were made. Relevant data includes PC asset information, hard disk serial number, the number of times overwrite was completed, the overwrite type utilized, and relevant time and date data points.
- Most enterprises that dispose of unwanted PC assets have developed requirements for data destruction. Research, however, has found that these operations often are insufficient or not followed. In fact, illicit businesses sell sensitive data, such as credit card and Social Security data, that often has been extracted from retired enterprise PCs. Corporations should work with regulatory agencies to trace the cause of these sizable transgressions and hold the liable parties responsible. Surprisingly, a large number of enterprise executives still believe that a simple disk reformat provides effective data protection. Moreover, disk-cleansing services are not included in the standard procedures followed by most recycling firms. IT executives should “understand that a U.S. Department of Defense (DoD) three-times overwrite is the minimum requirement for sensitive data and that proper data removal services are extremely affordable.
Properly retiring enterprise PC assets should be a top concern for enterprises engaging in system refresh. However, many IT executives are not applying the necessary methods or scrutiny to guarantee protection.
A recent investigation from the Computer Forensics team at the University of Glamorgan in the United Kingdom demonstrates this fact. Only two of 100 hard drives purchased on eBay, at fairs, and from wholesalers had no recoverable data on them – and one of the two drives was brand new. Half of the remaining drives could have had their data easily restored. The other half showed no attempts to remove data at all. Readily obtainable information, including financial details, a template for university degree certificates, and school records, were recovered. This is not the first such report on data available on second-hand disk drives. Robert Francis Group (RFG) profiled another such experiment performed by the Massachusetts Institute of Technology (MIT) in 2003.
Reports of plainly viewable and easily recoverable hard drive data have routinely made headlines over the last several years. Enterprises and end users alike are not taking the necessary precautions. RFG finds that most corporations have policies in place to ensure that proper data destruction occurs, either by the enterprise or an outsourcer. However, these policies are rarely followed suitably or sufficiently.
One reason that these lapses continue is that corporations have not yet suffered damage to their images or had considerable fines levied. Government agencies across the world are taking an increased interest in protecting consumer privacy, and RFG expects regulatory bodies to be fully empowered to take action well within the next three to five years. RFG believes PC data removal is still an afterthought for most corporations and is, therefore, the leading contributor to this on-going issue. IT executives should be proactive in understanding data-destruction requirements and should employ processes and technologies that effectively wipe, audit, report, and log activities.
RFG has researched enterprise end-of-life failure points and identified some of the most common mistakes and misperceptions corporations make and believe. A few of these examples are presented below, followed by delineation and analysis of the critical success factors identified by RFG.
Example: “The Process is in Place”
One of the largest insurance companies in the world had a process in place to eliminate data from hard drives prior to systems being sold to recyclers. Users were provided with a software tool to cleanse PCs before their release. However, an inspection by a data-destruction and computer-recycling firm found that the tool went largely unused.
In this scenario, users were required to wipe data from their hard drives independently. Most hard drive cleansing tools are fairly easy to use, but the data-elimination process takes up valuable time and delays other work efforts. Additionally, larger hard drive sizes require longer data-overwrite times. This fact is somewhat offset by gains concurrently seen in processor speed. However, users are clearly not given the incentive to spend two to three hours waiting for data-removal tools to complete the data-elimination process.
It is typically more expensive for enterprises to wipe data themselves, as outsourcers usually charge between $9 and $20 for disk-overwrite services. If IT executives insist on performing data-removal processes internally, it is generally best for trained IT personnel to take responsibility for the procedure. Moreover, a system of checks and balances should be enacted to validate that operations are being conducted correctly.
Audit trails capturing key overwrite criteria, including asset identification, disk information, number of passes, and overwrite type, should be electronically and physically maintained and on file, along with time stamps. Furthermore, drives should be selected at random and inspected to ensure accuracy and effectiveness. Data-removal vendors encourage IT executives to visit facilities, sometimes at unscheduled times, and to observe procedures.
Example: “Leasing PCs Ensures Safe Data Disposal”
An international shoe manufacturer has been leasing PCs, citing advantages such as cost predictability, leverage of new technology improvements, regular refresh, paying for assets using operational rather than capital funding, and productivity gains. Since the shoe company never owns the asset, it feels protected against any risks of improper disposal. The shoe company assumes that the leasing company wipes out all data prior to the system being resold or parted out.
The leasing company’s ownership of the asset does protect the shoe company from any e-waste disposal requirements, but system rebuilds do not incorporate hard drive cleansing by default. As long as Certificates of Authenticity (COAs) remain intact, the leasing company can simply re-format, and then restore the hard drive using imaging software. This can be accomplished in a fraction of the time needed to perform a drive overwrite and re-imaging. The leasing company, therefore, is not highly motivated to perform actual, thorough data cleansing. If the leasing company sells the system to a third-party wholesaler, or does not have access to re-imaging tools, the PC may only have obvious contents removed, such as from the “My Documents” folder. In any case, where no overwrite is conducted, enterprise data is at risk.
No matter what the industry, product, or service, IT executives cannot rely on vendors to deliver beyond the specifications of the contract. Thus, IT executives need to ensure that overwrite requirements and procedures are specifically detailed in the contract terms. Furthermore, not all vendors have the capabilities in place to perform data overwrites in house. Corporations should protect themselves against vendors that outsource activities to unknown third parties with undocumented or questionable practices. Such parties may, in turn, resell drives without performing required data-destruction procedures.
IT executives should incorporate into their decision-making criteria a procedural review of vendor and third-party contractor or partner capabilities and processes. Procedures should be tightly defined, followed, and tracked in order to encourage accountability and provide the appropriate assurance.
Example: “Vendors and Processes are Created Equally”
A large financial institution recently upgraded 5,000 laptops and had to select a recycling and data-destruction vendor. The company asked for bids from multiple firms and ultimately selected the vendor with the lowest price for disk cleansing. The vendor claimed it was able to do a US Department of Defense Standard 5220.22-M (DoD 5220.22-M) data-removal procedure for $2 to $3 per system. This price was one-fourth to one-tenth of that typically quoted by competitors. However, the financial institution later learned that the disk-cleansing technique employed by its chosen vendor was a one-time overwrite, rather than the three-times overwrite specified in the DoD standard.
Although cost should certainly be a factor in selecting a partner to perform PC data removal, IT executives should first concentrate their efforts on qualifying vendor performance and attention to detail. Having proprietary and confidential data unprotected and untraceable until it later resurfaces to cause the enterprise embarrassment and damage quickly eclipses the nominal savings realized by using the lower-cost provider. Data destruction and PC recycling are not large profit centers, and no outsourcer can provide sufficient services for $2 to $3 per system. If a deal seems too good to be true, it probably is.
In one way, the profiled financial institution was somewhat lucky. The vendor did perform a one-time data overwrite, thus providing at least some level of protection. In a manner both confusing and misleading, the data-destruction vendor likely considers that it has lived up to its obligations. DoD 5220.22 requires a three-times overwrite in order for data to be declared sufficiently unrecoverable. However, a clause in the specification states that a one-time overwrite is acceptable when the drive recipient has the same or higher security clearance. IT executives should test their data-destruction vendors by performing random audits during unannounced on-site inspections.
PC End-of-Life Issues: Lessons Learned
- A one-time disk overwrite is better than no overwrite at all; however, data can still be recovered. IT executives should require a three-times disk overwrite for sensitive data. If a one-time overwrite is deemed appropriate, bits should be written at random rather than all “0s” or all “1s” in order to make recovery more difficult.
- Transfer-of-ownership certificates are not sufficient proof to release enterprises of liability related to e-waste or data destruction. Solid vendor processes are the best guarantee, and IT executives should closely monitor capabilities and performance.
- IT executives should require proof of data elimination and de-manufacturing. Ideally, the recycler should provide electronic proof of how and when the data was removed. If system parts are being de-manufactured, the enterprise should be provided with a record of what was able to be recycled and what ended up in landfill.
- Proper data destruction takes time, and a simple reformat and re-image or quick data deletion is much faster and less expensive when reselling a PC or hard drive. Thus, identity thieves and other exploitive individuals are actively using improperly removed hard disk data as a means of income.
- Geographic location need not be a high cost in data disposal. While shipping costs can approach $30 individually, palletized PCs can cost as little as $5 per PC to ship.
- Most enterprise recyclers will share profits recaptured from the resale of PCs, and PCs less than 48 months old have positive residual value.
- Indemnification is desirable, but much less important than selecting a recycling vendor that has proven processes and can provide an audit trail before, during, and after data removal and/or de-manufacturing is completed.
- Recyclers can provide indemnification, if necessary.
- Requirements and procedures are useless without accountability. IT executives need to take the time to pre-qualify vendors, perform spot checks, and put procedures in place to ensure that contract terms are met.
- An IBM Global Financing (IGF) survey found that 90 percent of companies have procedures in place to eliminate sensitive system data. Some 70 percent of those companies were simply performing a disk re-format, which they mistakenly believed provided sufficient security.
- Openness is key. Vendors need to be as transparent with their data-destruction and e-waste processes as possible, and encourage the enterprise to keep them to task. In addition to offering process and facility inspection.
- Employee sales and charitable donations can be tricky. The disposal, data, and software licensing risks defined above all need to be addressed.
The proper destruction of enterprise hard drive data and disposal of PC assets is, and should be, a growing concern for companies. Although most companies have strategies in place to deal with data cleansing, many IT executives have not yet invested the time and energy required to ensure that internal processes and/or selected vendors can and do adequately perform their processes effectively themselves. Short listed candidate vendors should have in-house capabilities and rigorous procedures to wipe drive data and minimize the number of PC components that end up in landfills. IT executives should incorporate these operational requirements into contracts. Moreover, IT executives should avoid the common mistakes and misperceptions associated with PC disposition by holding vendors to task through careful inspection, required reporting, and oversight that includes unscheduled visits and audits.
Source: Robert Frances Group