The 2-Person Security Rule Should Be Common Sense
‘Saving a Few Dollars Cost Enterprise Millions’
In a data center, there are two types of systems, those that are working and can be managed by the storage manager software written by companies like IBM and EMC. Then there are the systems that are being decommissioned or containing data bearing devices that no longer function. Because the majority of data centers do not have systems in place to track the second class of components, and because of the quantity of failed data bearing devices and the complexity of their management, they are often misplaced or mishandled.
These failed or decommissioned devices contain all the critical data readily available and the enterprise executives, managers and direct supervisors fail to acknowledge the weakness in their data center procedures. The United States government has released the NIST guidelines to wipe or destroy the data, but that is about it. Therefore, we have recyclers and others who take their critical data-bearing devices from the secure data center and take them out to the parking lot to shred the drives (afterall, they do not want to jeopardize your health by processing e-waste inside a building).
How do these companies risk the data security and brand name of the enterprise?
- Data center security rules place the critical data bearing devices in rooms behind layers of physical barriers and electronic monitoring. Then on a shredding day, you suspend the rules and you let the data bearing devices leave the premises.
- Want to steal a hard drive? Become a truck driver / shredder for a recycler who processes critical data bearing devices. It is excessively easy, because during their process, the hard drives are moved offsite into parking lots and out of your control.
- There is a 2-person security rule for accomplishing critical data center tasks. Have you ever read or observed a company shredding hard drives? They have one low-skilled employee doing the work. Maybe all of the drives were processed and maybe not. Some companies use a camera to monitor the process to meet the two-person rule. Have you conformed to this high-risk process?
What we see are companies who violate their own security rules.
These are probably a few of their erroneous beliefs:
- No one will steal a hard drive.
- The auditors will never cite our data destruction procedure because every other enterprise is doing the same thing.
- We do not have enough time to research the correct way to process the data bearing devices.
In the end, old school enterprise procedures violate those data center and CISSP guidelines to save a few dollars. After all, who cares about the corporation losing millions of dollars in a large-scale data breach?
We have a suggestion:
Write a data destruction security procedure that processes the critical data-bearing device inside the four walls of the data center. Then contact TechR2 for a quote. We are the only ISO 27001 certified data destruction company and we will go beyond your security criteria.