Regardless of sector or scale, businesses today heavily depend on data to steer their operations. Whether collecting, using, buying, transferring, or storing data, all businesses share a common dilemma: what to do with data once it’s no longer necessary. With the number of data breaches increasing exponentially over the last decade, following best practices for secure data destruction is essential.
If your organization doesn’t have an equipment and data disposal policy or isn’t well-versed in secure data destruction and secure data disposal, you could leave yourself vulnerable to security incidents, stiff fines and penalties, loss of consumer trust, and damage to your brand.
At KirkpatrickPrice, we understand how much data can mean to your business. However, foregoing secure data destruction and secure data disposal can cause excessive damage. Let’s compare secure data destruction and secure data disposal, highlight the six best practices to follow when securely destructing or disposing of data, and explore common policies your organization should continue adopting to ensure secure data disposal and destruction.
Secure Data Destruction vs. Secure Data Disposal
What’s the difference between secure data destruction and secure data disposal?
Secure data disposal includes securely disposing data from your device, but not eliminating it entirely. When you dispose of data (i.e. put it in the trash or simply delete files off of your computer), the data can still be accessed by malicious individuals.
On the other hand, secure data destruction includes wiping your devices clean of data – malicious individuals will no longer have the ability to access that data.
In short, the difference is that simply deleting data is not enough to ensure that it is unrecoverable; it requires secure destruction.
6 Best Practices for Secure Data Destruction or Disposal
When determining which methods to use to securely destruct or dispose of data, you’ll need to consider four major factors as they relate to your organization’s needs:
- Media type
- Data sensitivity
- Data asset end-of-life value
- All applicable information security frameworks and legal requirements that your organization must adhere to
With those factors in mind, below are our secure data destruction best practices for hard drives and solid-state drives.
How to Securely Destroy Hard Drives:
When it comes to securely destructing data or securely disposing of data on hard disk drives (HDDs), otherwise referred to as the physical location where the data is stored, consider using the following methods:
Clearing
Clearing removes data in such a way that prevents an end-user from easily recovering it. This method is suitable for reusing devices inside your organization.
Digital Shredding or Wiping
This method does not alter the physical asset. Instead, it overwrites data with other characters like 1 or 0 and random characters with multiple passes (e.g. DoD 5220.22-M algorithm).
Degaussing
Degaussing uses a strong magnetic field to rearrange the structure of the HDD. Once the HDD is degaussed, it can no longer be used.
Physical Destruction
This method ensures the secure disposal and destruction of HDDs as they are hydraulically crushed or mechanically shredded, so that data can never be retrieved or reconstructed.
How to Securely Destroy Solid State Drives
For secure data destruction and secure data disposal of data found on solid state drives (SSDs), or the virtual location the data is stored, consider using the following methods:
Built-In Sanitization Commands
This method is effective if the device is to be reused within the organization.
Physical Destruction or Encryption
Using this method is the only true way to ensure device data cannot be recovered.
The Importance of Enforcing an Equipment and Data Disposal Policy
To enforce secure data destruction and disposal, you need effective policies that cultivate a culture of compliance. While your employees may be knowledgeable about data disposal best practices, without policies that mirror your business requirements, holding them accountable is difficult.
Therefore, when creating, maintaining, and enforcing an equipment and data disposal policy, we recommend including policies that:
- Determine the personnel who will oversee the data disposal and destruction process
- Define specific best practices that personnel should follow to ensure secure data destruction and secure data disposal techniques are used
- Detail what is to be done with media devices that are no longer useful to the company’s needs, but do not need to be destroyed (i.e. laptops or smart phones to be made available for purchase to employees or donated)
- Include requirements for updating asset inventory lists
- Address non-compliance with the equipment and data disposal policy
For a detailed example of an equipment and data disposal policy, check out this policy template published by SANS. If establishing and enforcing an equipment and data disposal policy is not something your organization is equipped to do, you might also consider partnering with a third party to complete these tasks, provide you a certificate proof that your devices have been handled properly, and confirm that the devices have been physically destroyed.
All in all, having a robust equipment and data disposal policy that includes best practices for secure data disposal and secure data destruction is an integral component of establishing a culture of compliance within your organization. By doing so, you’re positioning your business as a trustworthy, reliable partner – something that has become more difficult in today’s data-centric world.
Partner with KirkpatrickPrice to Help Establish Data Disposal and Destruction Best Practices
Understanding how to properly dispose of and destroy data can feel overwhelming. While the above best practices are a great place to start, it can feel intimidating to implement them on your own. Here at KirkpatrickPrice, we want to help you feel confident in your security and compliance practice. If you have questions on how to implement these best practices or need guidance on creating an equipment and data disposal policy, make sure to connect with one of our experts today. Our dedicated auditing team is ready to help you with your unique business needs.
More Information Security Tips and Best Practices Resources
Best Practices for Data Backups
Securely Managing Development and Production Environments
6 Information Security Basics Your Organization Needs to Implement