This page contains a Flash digital edition of a book.
In addition to a data destruction


policy, it’s advisable to have formal documentation procedures confirming the process used to destroy the data and/or media. Most current legislation that requires data management policies and procedures also requires that there is formal documentation of all data retention and destruction activities. It also provides evidence to the court that the data in question does not exist.


Discover Destruction Techniques One of the key components in a


data destruction policy is the technique used to securely destroy the data and/ or storage media. Four techniques are regularly used: • Overwriting: Usually implemented in software, this process simply and securely overwrites the storage medium with new data. Known as wiping, it’s as simple as writing the same data (e.g., all zeros or a specific character pattern) everywhere on the media. • Degaussing: This technique electronically removes the magnetic field of a disk or drive using a device called a degausser. When used properly, degaussing renders a disk unusable. However, it may be possible for the manufacturer to reformat the disk at the factory. • Encryption: Typically used to secure data from unauthorized access, encryption can also be used to make it impossible to access data on a storage device. By encrypting all data stored on a device, and using a very strong decryption key, access to the data can be effectively prevented. • Physical Destruction: This technique is generally considered the most secure and permanent type of destruction method. The media must be thoroughly destroyed, as even a small piece of the disk may still contain data. Typical techniques include breaking the media apart via grinding or shredding; incinerating the media; applying corrosive chemicals (e.g., acids) to the disk surface; vaporizing or liquefying the media; or applying extremely high voltage to the media.


Understand the Legislation Sarbanes-Oxley requires that strict records retention policies


IMAGE ©SERGEY DASHKEVICH / FOTOLIA CONNECTION/BUSINESS IT 2012.Q4 19


and procedures must be in place, but it does not specify a particular data storage format. It does require corporate officers to institute internal controls on their information to ensure completeness, correctness, and quick access. There is one exception to the specifics: accounting firms are specifically mentioned in Sarbanes- Oxley. The act calls for accounting firms that audit publicly traded companies to keep related audit documents for no less than seven years after the completion of an audit. Violators can face up to $10 million in fines and 20 years in prison. Similar to SOX legislation, HIPAA


legislation focuses on protecting electronic personal health information, or ePHI. The three principal criteria for protection of health data in HIPAA are confidentiality, integrity, and availability. Data retention addresses the third requirement, and even though HIPAA doesn’t specifically address data sanitization and when to destroy


data/media, be sure to address them in your data retention program.


An Investment In Protection Effective use of data sanitization


techniques can minimize the chance that valuable data could be stolen or compromised. Many options are available to permanently destroy data and media. With an official data sanitization policy in place, plus some of the documents we have suggested in this tip, you can cost-effectively handle your data destruction requirements and be compliant with relevant legislation as well.


ABOUT THE AUTHOR: Paul Kirvan, CISA, FBCI, has more than 24 years of experience in business continuity management (BCM) as a consultant, author, and educator.


A Disposition Plan You Can Trust Sometimes making the right choice about how to properly dispose of outdated assets can be confusing and frustrating. PC Connection eliminates those frustrations so that you can tend to more important tasks. With two services available, Standard Asset Disposition and Premium Asset Recovery, you can choose the service that best protects your organization. Best of all, you don’t have to do anything other than show us where the equipment is—we’ll take care of everything else.


Call today or visit us online for more information about our asset disposition services. 1-800-800-0014 www.pcconnection.com/assetdisposition


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36