Regardless of industry or size, organizations today rely on data to drive business. Whether it’s collecting, using, buying, transferring, or storing data, there’s one thing businesses have in common: they have to figure out what to do with that data once it is no longer necessary to keep. With the number of data breaches increasing exponentially over the last decade, following best practices for secure data destruction is essential. If your organization doesn’t have an equipment and data disposal policy or isn’t well-versed in secure data destruction and secure data disposal, you could leave yourself vulnerable to security incidents, stiff fines and penalties, loss of consumer trust, and damage to your brand.
At KirkpatrickPrice, we understand how much data can mean to your business, but we’re also very aware of the damage that foregoing secure data destruction and secure data disposal can cause. Let’s go over the main difference between secure data destruction and secure data disposal, six methods to follow when it comes to securely destructing or disposing of data, and then we’ll look at common policies your organization should continue adopting to ensure secure data disposal and secure data destruction.
Secure Data Destruction vs. Secure Data Disposal
What’s the difference between secure data destruction and secure data disposal? Secure data disposal includes securely disposing of data from your device, but not getting rid of it entirely. When you dispose of data (i.e. putting it in the trash or simply deleting files off of your computer), the data can still be accessed by malicious individuals. On the other hand, secure data destruction includes wiping your devices clean of data – malicious individuals will no longer have the ability to access that data. In short, the difference is that simply deleting data is not enough to ensure that it is unrecoverable.
6 Methods for Securely Destructing or Disposing Data
When determining which methods to use to securely destruct or dispose of data, you’ll need to consider four major factors: the type of media, the sensitivity of the data being disposed of or destroyed, the end-of-life value of the data asset, and all applicable information security frameworks and legal requirements that your organization must adhere to. Once you’ve factored in these four considerations, you can decide which of the following methods are most suitable for your organization’s needs.
Hard Disk Drives
When it comes to securely destructing data or securely disposing of data on hard disk drives (HDDs), or the physical location where the data is stored, consider using the following methods:
- Clearing: Clearing removes data in such a way that prevents an end-user from easily recovering it. This method is suitable for reusing devices inside your organization.
- Digital Shredding or Wiping: This method does not alter the physical asset. Instead, it overwrites data with other characters like 1 or 0 and random characters with multiple passes (e.g. DoD 5220.22-M algorithm).
- Degaussing: Degaussing uses a strong magnetic field to rearrange the structure of the HDD. Once the HDD is degaussed, it can no longer be used.
- Physical Destruction: This method ensures the secure disposal and destruction of HDDs as they are hydraulically crushed or mechanically shredded, so that data can never be retrieved or reconstructed.
Solid State Drives
For secure data destruction and secure data disposal of data found on solid state drives (SSDs), or the virtual location the data is stored, consider using the following methods:
- Built-In Sanitization Commands: This method is effective if the device is to be reused within the organization.
- Physical Destruction or Encryption: Using this method is the only true way to ensure device data cannot be recovered.
Enforcing an Equipment and Data Disposal Policy
In order to enforce secure data destruction and secure data disposal, you must have the right policies in place that create a culture of compliance. After all, your employees can be well-versed in data disposal and destruction best practices, but if your policies don’t reflect your business’ requirements for doing so, there is no way to hold them accountable in following them.
For this reason, when it comes to creating, maintaining, and enforcing an equipment and data disposal policy, we recommend including policies that…
- Determine the personnel who will oversee the data disposal and destruction process
- Define specific best practices that personnel should follow to ensure secure data destruction and secure data disposal techniques are used
- Detail what is to be done with media devices that are no longer useful to the company’s needs, but do not need to be destroyed (i.e. laptops or smart phones to be made available for purchase to employees or donated)
- Include requirements for updating asset inventory lists
- Address non-compliance with the equipment and data disposal policy
For a detailed example of an equipment and data disposal policy, check out this policy template published by SANS. If establishing and enforcing an equipment and data disposal policy is not something your organization is equipped to do, you might also consider partnering with a third party to complete these tasks, provide you a certificate proof that your devices have been handled properly, and confirm that the devices have been physically destroyed.
All in all, having a robust equipment and data disposal policy that includes best practices for secure data disposal and secure data destruction is an integral component of establishing a culture of compliance within your organization. By doing so, you’re positioning your business as a trustworthy, reliable partner – something that has become more difficult in today’s data-centric world. If you have questions on how to implement these best practices or need guidance on creating an equipment and data disposal policy, let’s connect.
More Information Security Tips and Best Practices Resources
Best Practices for Data Backups
Securely Managing Development and Production Environments
6 Information Security Basics Your Organization Needs to Implement