When you replace your computers, what happens to the data on them? With increased legal scrutiny and identity theft protections, it is important for you to know exactly what happens to the information on your end of life computers. Some companies prefer to keep this responsibility in-house, using tools like Blancco, KillDisk, or dBan. Software drive wiping can take a long time, and if you have a large number of machines to wipe, dedicating an employee to wipe drives can be costly.
If you choose to outsource data destruction services, how can you be sure they handle your data with the same care as you would? Here are a few questions to ask:
What methods of data destruction do you provide?
This question is more for your education than anything else. There are many different forms of data destruction. First is do they use software or physical destruction methods. On the software side there are many different algorithms, from single pass, 3 pass, 7 pass, Secure Erase. The NIST states that a single pass is sufficient for most drives, but 3 pass tends to be the standard.
On the physical destruction side, there is degaussing, drilling, shredding, or hitting it with a hammer. If they use drilling, ask how many holes they drill into the platters. If they only do 1 or 2, be wary that it is theoretically possible to retrieve portions of the drive using an electron microscope. Our perferred method is shredding. Unlike degaussing, you can easily tell if the drive has been destroyed, and it doesn’t have the safety issues of hitting it with a hammer or drilling.
What do you do with failed drives?
When using software overwriting techniques, not every drive will be able to wipe 100%. Remapped sectors and bad sectors can still have data in them. At what point does the company consider a drive failed, and what do they do when it fails? Do they attempt to wipe it again? Do they inspect the drive for data remnants? Do they physically destroy the drive?
What reporting options are available?
The company providing the data destruction services should provide some form of certification of data destruction, but what does that certificate say? Does it merely indicate that they destroyed some data? Can the certificate be tied back to a particular asset? Preferably back to an asset tag you can track through your own inventory management systems?
Do you have any outside certification?
Has their process been inspected and verified by an independent body? Have drives destroyed by the company been inspected by data recovery firms? Common certifications are the NAID AAA certification, and we are starting to see requests for certification under the PCI / DSS rules. If a company has not been certified, be wary of their data security processes. Even if they have been certified, ask if they will let you tour the facility and see the processes for yourself.
What do you do with e-waste?
No matter how a company destroys data, there will be some electronic waste generated. What do they do to ensure that this waste does not end up in landfills? Do they partner with a recycling firm? Do they recycle the electronic waste themselves?