Numerous regulatory requirements at both the Federal and State level require the secure erasure of data. Whether you are a financial institution, medical facility, asset disposition / asset management company, electronic recycling company or any corporation that has personal private consumer data stored in digital format, there is some form of regulation you must adhere to.
Gramm-Leach Bliley Act (GLB)
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. This Act was designed to compel financial institutions to "respect the privacy of its customers and to protect the security and confidentiality of those customers' non-public personal information.”
Health Insurance Portability and Accountability Act (HIPPAA)
The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes. HIPPAA took effect on April 14, 2001 and is intended to safeguard the privacy of patient health records. The Act requires new safeguards to protect the security and confidentiality of an individual's protected health information.
Health Information Technology for Economic and Clinical Health Act (HITECH)
The HITECH Act of the American Recovery and Reinvestment Act imposes more stringent regulatory requirements under the security and privacy rules of HIPAA, increases civil penalties for a violation of HIPAA, provides funding for hospitals and physicians for the adoption of health information technology, and requires notification to patients of a security breach. These broad new requirements will necessitate compliance by covered entities, business associates and related vendors in the health care industry
Fair and Accurate Credit Transactions Act (FACTA)
FACTA took effect on June 1, 2005. Its primary purpose is to help consumers fight identity theft and consumer fraud. FACTA enforces the proper destruction of consumer information such as name, address, SSN, credit information, and data compiled from this information.
Sarbanes Oxley Act (SOX)
Signed into law on July 30, 2002, its primary goal is to restore and protect investor confidence in the US Financial market by mandating corporate governance to more stringent accounting and reporting control. The failure of any entity to ensure that electronic data is at all times secure, then erased and irretrievable at the end of the useful life of the IT asset is likely a violation of the Sarbanes Oxley Act.
Media sanitization is one key element in assuring confidentiality. Confidentiality is “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542]
“A loss of confidentiality is the unauthorized disclosure of information.” [FIPS-199, Standards for Security Categorization of Federal Information and Information Systems]
Information disposition and sanitization decisions occur throughout the system life cycle. Critical factors affecting information disposition and media sanitization are decided at the start of a system's development. The initial system requirements should include hardware and software specifications as well as interconnections and data flow documents that will assist the system owner in identifying the types of media used in the system. A determination should be made during the requirements phase about what other types of media will be used to create, capture, or transfer information used by the system. This analysis, balancing business needs and risk to confidentiality, will formalize the media that will be considered for the system to conform to FIPS 200, Minimum Security Requirements for Federal Information and Information Systems.
-- National Institute of Standards and Technology, NIST Special Publication 800-88
Computing technologies change rapidly. Users want more powerful but compact devices. New technologies constantly increase processing speed and storage capacity, while decreasing the device size in order to satisfy this demand. These technologies may require new clearing and purging techniques. Advancing technology has created a situation that has altered previously held best practices regarding magnetic disk type storage media. Basically the change in track density and the related changes in the storage medium have created a situation where the acts of clearing and purging the media have converged. That is, for ATA disk drives manufactured after 2001 (over 15 GB) clearing by overwriting the media once is adequate to protect the media from both keyboard and laboratory attack.
-- National Institute of Standards and Technology, NIST Special Publication 800-88
Several factors should be considered along with the security categorization of the system confidentiality when making sanitization decisions. The cost versus benefit of a media sanitization process should be understood prior to a final decision. For instance, it may not be cost-effective to degauss inexpensive media such as diskettes. Even though clear or purge may be the recommended solution, it may be more cost-effective (considering training, tracking, and validation, etc) to destroy media rather than use one of the other options. Organizations can always increase the level of sanitization applied if that is reasonable, and indicated by an assessment of the existing risk. Organizations should consider the following environmental factors. Note that the list is not all-inclusive:
1. What types (e.g., optical non-rewritable, magnetic) and size (e.g., megabyte, gigabyte, and terabyte) of media storage does the organization require to be sanitized?
2. What is the confidentiality of the data stored on the media?
3. Will the media be processed in a controlled area?
4. Should the sanitization process be conducted within the organization or outsourced?
5. What is the anticipated volume of media to be sanitized by type of media?
6. What is the availability of sanitization equipment and tools?
7. What is the level of training of personnel with sanitization equipment/tools?
8. How long will sanitization take?
9. What type of sanitization will cost more considering tools, training, validation, and reentering media into the supply stream?
-- National Institute of Standards and Technology, NIST Special Publication 800-88
The last thing your company wants is bad press. Here are some recent security breaches that made the headlines...
December 10, 2010
(Reuters) - NASA failed to delete sensitive data on computers and hard drives before selling the equipment as part of its plan to end the Space Shuttle program, an audit released on Tuesday shows. More
November 11, 2010
(DailyMail) - An Oxford-educated army officer’s laptop containing military secrets was sold on the eBay for £18.87 after he threw it in a skip. more
October 15, 2010
(Computerworld UK) - Information Commissioner slams recruitment agency for losing hard drive containing doctors’ security clearance and visa information. more
|
|
|
