CentricsIT Datasheet: Data Sanitation and Destruction

CentricsIT Data

Sanitation & Destruction: Remaining Secure During the ITAD Process

You already spend a great deal of time, money, and human resources defending your active data. Why let that work and investment go to waste by failing to administer the same security diligence for data after its hosting hardware has been phased out of your facilities? You may no longer need those units, but that doesn’t mean your data security responsibilities end there.

No one wants to be the next big breach. You need an ITAD solution that ensures risk mitigation and brand protection. The CentricsIT Data Sanitation/Destruction program enables organizations to run simultaneous projects in multiple locations anytime, anywhere, with one single point of contact.

Data Erasure:

Data erasure (or clearing/wiping) is a software-based process that completely overwrites the hard drive with random zeroes and ones, effectively obscuring any residual data left on the device under several layers of meaningless binary.

Data Destruction:

Data destruction is the physical process of making a hard drive unusable for conventional equipment. Arguably, this method can be accomplished with a hammer and some sweat equity, but this is an extremely inefficient method (especially if you have hundreds of units to decommission). Instead, most companies rely on punching and shredding machines to do the job.

How It Works

Hard Drive Wipes

1. The Operations Manager provides the CentricsIT Engineer with any instruction to perform the data wipe and start/finish times.

2. CentricsIT Engineers execute the data wipe using erasure software per specified requirements and software instructions.

3. An asset erasure report is created.

4. If the hard drive is not able to be wiped:

a. The drive is pulled from the computer/data center

b. Serial number information is captured

c. The hard drive is crushed as per CentricsIT standards

5. The full erasure report is sent to the client contact.

6. A data destruction certificate is completed using the information from the Erasure Report

Hard drive crushing on customer sites

1. Crushing is performed within the truck.

2. Ensured security.

3. Each drive is scanned into a Shred Report including P/N & S/N.

4. Quantities are double checked and matched.

5. The hard drives are shredded into containers. All manufacturer operation and safety considerations including personal protective equipment will be complied with.

6. The crushed debris is inspected to ensure compliance with manufacturer requirements.

7. A certificate is printed out. Both the operator and customer sign the certificate.

8. The shredded product is returned to ITAD and is weighed in to the scrap area, as per CentricsIT standards.

9. The signed certificate and crushed data is prepared in a report. A copy of the report is sent to the client and a copy is saved in the project folder. A photograph of the shred is also included.

The CentricsIT Data Sanitation/Destruction program enables organizations to run simultaneous projects in multiple locations anytime, anywhere, with one single point of contact.

Hard drive crushing in the CentricsIT warehouse

Hard drive crushing in a CentricsIT warehouse is similar in most respects to on-site crushing. However, customer requirements might vary. The CentricsIT Operations Manager will ensure warehouse staff are aware of the customer requirements and will execute hard drive crushing accordingly.

Ensuring Security with Quality Assurance

QA checking of data sanitization

1 2 3

At least 10 storage devices are randomly selected from inventory for QA checking data wipes.

The devices will be checked by CentricsIT Engineer. The engineer will attempt to recover the data for each item selected. Records of QA check will be recorded on the QA Check-Validation Report.

Data sanitization/destruction training

If there are any negative findings during QA checking, additional product may be checked. The issues will be recorded in the Action Log.

All ITAD personnel involved in the data sanitization/destruction process must receive training on the proper use of the erasure/ crush equipment and the process. This training is repeated annually with records maintained. Training includes a review of NIST 800-88.

Validation

Annual validation will be performed by individuals approved by the Operations Manager. Validators are independent of the data destruction process and competent in NIST 800-88 guidelines.

Validation includes:

• A review of the procedure.

• Witnessing the destruction activity, and inspecting the results (possibly in conjunction with the internal audit). For wipes, the validation will include an attempt at data recovery for the selected products.

• Records of the validation will be maintained on the QA Check-Validation Report. For hard drive crushing, photos will be taken.

• Any non-conformances identified during the validation will be recorded in the Action Log.

The validator is also responsible for monitoring the effectiveness and compliance of data destruction personnel and processes throughout the year.

Customer requirements are determined, a proposal is prepared, and customer accepts proposal.

CentricsIT Project Manager is assigned.

Product is transported and product is received at the ITAD warehouse.

Security controls for the ITAD workplace are in place.

Equipment maintenace and facility housekeeping are utilized.

data sanitization/Destruction

Data sanitization/destruction is performed as soon as possible in order to minimize unauthorized access of the data.

Hazards and environmental aspects are identified and controlled.

Legal requirements are identified and changes are monitored.

ITAD is assessed against legal requirements.

Communications to internal and external parties including participation in health and safety issues.

EHS procesured are developed and personnel trained.

EHS issues are monitored. Emergencies are indentified and managed.

Non-conformances and issues are addressed and corrective/preventative actions are determined and implemented.

Internal and external documents are identified and controlled.

Records are identified and controlled.

Personnel are trained and competency determined.

Compliance to the EHSMS is determined.

Management and resources, including the effectiveness of the EHSMS is determined in the Managers’ Meeting.

An audit of customer product is performed and brokers are notified of the results.

Product that is being kept

Product is tested and an R2 status is assigned. Product testing is QA checked.

Hard drive wipes and crushing are performed.

QA of data sanitization is checked.

Validation of data sanitization/ destruction is verified.

EHS incidents are investigated.

Data sanitization/destruction training and data security.

Scrap

Management of scrap electronics

Product is added to inventory.

Product is sold, picked, and shipped.

Product returns are available through the Project Manager.

Data security breach?

Data security breaches mitigation.

Yes No

Product is repairable?

Yes No

Product is broken down and e-scrap is shipped to an R2 vendor.

Product is repaired.

Downstream vendors are selected. The recycling plan to end of life (our focus material management plan) is prepared.

Downstream vendors are evaluated annually and include import/export compliance.

Downstream vendor non-comformances are managed.

Product is on consignment?

Yes

All incoming and outgoing scrap weights are accounted for and considerable differences are investigated.

A final scrap audit is performed and the customer is notified.