The process of destroying a hard drive is often considered only when organizations are working to decommission devices. The practices and procedures may be created or updated periodically when a company wants to update to a new operating system, replace a bunch of servers or simply move systems to the cloud and eliminate in-house hardware. Because of this, many companies run into challenges figuring out exactly what issues they have to think about when it comes time to erase data. To avoid this problem, companies must consider the data destruction process in the same way they look at general cybersecurity and access control.
In action, data destruction isn't that complicated. Businesses must:
- Provide adequate controls to ensure only authorized personnel can access hardware.
- Leverage specialized technologies and systems to sanitize storage media.
- Standardize and document best practices to ensure process consistency and regulatory compliance.
These standards are clear across pretty much all security practices, but here are a couple of nuanced security and access control capabilities that apply to data destruction processes.
Align security practices with business needs
The NIST released a landmark cybersecurity framework in 2014 to guide businesses in establishing security best practices to keep data safe. These weren't regulatory laws or official requirements. They were, instead, a guide to help establish a baseline for what companies need to do when protecting data assets. The NIST recently updated its guidance, and the draft document makes an intriguing point about the NIST's goal.
"Businesses must account for their corporate goals and potential for risk when making data destruction decisions."
The draft cybersecurity framework points out that its goal is to offer guidance so organizations can make their cybersecurity choices based on business factors and incorporate data protection into risk management.
Similarly, companies must account for their corporate goals and potential for risk when making data destruction decisions. Not every storage device will require the same level of thoroughness for data destruction, so adapting best practices for different media types is key. In terms of risk management, businesses must assess what level of risk is acceptable for different data types, not only in terms of how thoroughly they destroy data, but also whether or not they will trust third-party disk destruction companies or be better off handling the process in house. Using core security best practices can play a key role in informing data destruction process.
Document everything
Creating an audit trail is vital to maintaining a chain of custody and verifying regulatory compliance. A FedTech report explained that core access control best practices rely on standardizing and enforcing processes so that nothing goes into or is taken out of a server rack without being documented.
Similarly, businesses must formally track storage media throughout the data destruction process to ensure access to information is controlled and monitored at all times.
Don't be daunted by data destruction processes. Businesses that take control of erasing data can ensure they have visibility into the entire erasure process, reducing the total cost of decommissioning hardware and improving security. Want to learn more about data destruction? Contact Proton Data, and we'll tell you about our degausser solutions that erase data and provide a high level of data protection for businesses trying to safeguard sensitive information.