Best Practices To Mitigate Risks When Retiring IT Assets

This presentation was given during the Spring, 2012 Data Center World Conference and Expo. Contents contained are owned by AFCOM and Data Center World and can only be reused with the express permission of ACOM. Questions or for permission contact: [email protected].

Interested in data center security and disaster recovery?

Learn about the Security and DR track at theupcoming Fall 2012 Data Center World Conference at:

www.datacenterworld.com.

mailto:[email protected]

http://www.datacenterworld.com/

Vito Arminio

[email protected]

858-729-0289


Bringing ‘Peace of Mind’ to IT Asset Retirement

•Reduce your Liability in 3 Areas:

– Environmental

– Data Privacy

– Reputation

Confidential – not for distribution without LifeSpan’s written consent.

Equipment Retirement -Issues

• E-waste is the fastest growing portion of the entire waste stream, growing two to three times faster than any other waste stream. It is the largest single source of lead in municipal solid waste (about 30%).

The United States faces a unique challenge regarding the disposal of obsolete computer equipment on a national and global scale.


Asset Retirement -Drivers

• Increased focus on asset management Mustmanage TCO

• Environmental liability / data security Detailedreporting and auditing

• Multiple locations, distributed IT equipment Complex and costly logistics

• Greater corporate and environmental regulations Increased scrutiny and accountability for tangible and intangible assets.

Confidential – not for distribution without LifeSpan’s written consent.Confidential – not for distribution without LifeSpan’s written consent.

IT Asset Management Process


Sources: Gartner, IDC

Requisition

Procurement

Beginning of lifecycle End of lifecycle

Rela

tive C

ost

Deployment

Maintenance

Retirement

Why Can’t We Just Throw it Away?

•All E-Waste types– Computers & Monitors– Printers & Peripherals- Complex Circuitry Items– Materials Toxic to the Envt.

•Lead•Mercury•Cadmium•Gallium Arsenide•Barium



Bringing Peace of Mind…

• Department of Commerce report estimated that in 2006, 50% - 70% of electronic waste was exported to developing countries

Environmental Risks

• Comprehensive Environmental Response Compensation and Liability Act (CERCLA)

– a.k.a. “Superfund”– Certificates of Recycling –”certification”– Deep Pockets Ruling

• State by State Regulations– What’s legal in one state is illegal in another

• A ‘Certificate of Recycling’ is meaningless

• Ask for Pollution Liability Insurance - $5 Million


Environmental Liability:



Credit Card Log File


Point of Sale Log File – Credit Card Numbers


Outlook – Outlook.pst


Accounting System – Social Security Number

Data Destruction DilemmaRevenue or Neutral/Cost

• Physical Data Destruction– Crushing – HDC– Shredding – Service / Equipment– Visual verification

• Sanitization– Single Pass, Triple Pass, 7 pass, 29

pass, zillion pass– DBAN– Active Killdisk– Ontrack – Data Erasure– Blancco

• DegaussingConfidential – not for distribution without LifeSpan’s written consent.

Degaussing


Profile Privacy Breaches• Identity Theft - On the rise

– 22.4 Million Sensitive Records Breached in 2011– Costs $53 Billion annually– Costs $4,800 per individual– Costs public companies – 5% stock value

•Sony•Epsilon•HealthNet



Bringing Peace of Mind to Data Privacy

• Look for a NAID Certified Service Provider


http://naidonline.com/certification.html

Considerations for Process Enhancements

• Chain of Custody– How long do drives sit around before destruction?– Where/How are they stored? – Can they accidentally be picked up for reuse?

• Quality Assurance on Sanitization– How are disks validated? (Every day, lot, each… never)– Forensics Software?

• Encase• RTT Toolkit

– Different types of interfaces – SCSI, FibreChannel

• MOST IMPORTANT: Process and Controls – Its Usually Human Error


Considerations for Process Enhancements

Where things go wrong:

Physical Destruction• No timely destruction - they sit around• Mistakened for wiped drives –so not crushed• Inadvertent reuse

Sanitization• Little or no QA/QC• False negatives from faulty hardware• Interfaces• Mistakened wipe drives


Considerations for Process EnhancementsNAID (Preliminary)

•Physical Destruction Process Outline:– IT, Surplus or Vendor Team removes

equipment from end user – transports and places in secure area

– Equipment is cataloged– Drive is removed and cataloged– Immediately crushed– Subsequent shredding for recycling


Considerations for Process EnhancementsNAID (Preliminary)

• Sanitization Process Outline– IT, Surplus, or Vendor Team removes equipment from end

user – transports and places in secure area– Equipment is cataloged

– System is sanitized– Forensics verification – manager, outside firm– Labeled

– Drive is removed and cataloged– System is sanitized– Forensics verification – manager, outside firm– Labeled


Solid State Hard Drive Technology


Solid State Hard Drives

• Reverse Engineered to mimic Magnetic Architecture

• Flash Translation Layer

• Lack of G-List

• In the race to go to market, SSD manufacturers were inconsistent in their adherence to the SATA standard.

• This has rendered wiping/sanitization software unable to perform a conclusive validation.


FTL

Magnetic HD

SSD HD

Are You Protected in the Event of aData Privacy Breach?

• Do they have sufficient insurance? $1M Errors & Ommissions

• Privacy Liability ($250,000)– Notification/Credit Monitoring– Public Relations Expenses

• Bodily Injury Coverage– For those who claim emotional distress & mental anguish

• Hammer Clause (for frivolous suits)

• You shouldn’t have to worry about if a claim will be paid


Data Privacy – Have You Considered…

• Digital Copy Machines contain Hard Drives– Capture image of every page copied

• High-end Printers contain Hard Drives

• Smartphones & Blackberries– Should be treated just as carefully as loose hard drives– Sanitize Data/Shred SIMM Card


Reputation Risk

• Many nationwide companies rely on smaller local recyclers, creating inconsistent practices on how materials are retired from region to region.

• Often “sham recyclers” simply cross dock and export E-waste to non OECD countries.

• Invariably, companies are unaware that their E-waste has not been legitimately broken down and recycled, but merely exported to countries that are unequipped to process it properly.

• Environmental watchdog groups are producing exposes in order to make an example out of abhorrent companies.


Free E-Waste “Recycling”


Source: Basel Action Network BAN.org

Environmental - Global “Recycling”


Hydrochloric / Nitric Acid Baths

Processing Residue along Lianjiang River

Source: Basel Action Network BAN.org

Reputation Liability:E-Waste ‘Sting’ Operations


60 Minutes Nov 9, 2008

Frontline, June 23 2009


Look for a Nationwide ‘Footprint’


Recycling

Recycling / Sorting

Sort / Audit

9/24/03

Asset Retirement Program– Elements to Consider

• Frequency

• Space

• Location

• Packing Resources

• Data Security

• Audit

• RecycleConfidential – not for distribution without LifeSpan’s written consent.

0 to 1 Pallets orE cycle Box

2 to 4 Pallets orE cycle Box

½ to Full Truckload

Single Location CampusCoastal, Regional,

National

Plenty of Resourcesto Pack

Need ResourcesSometimes

Packing materialsInside Removal

Plenty of ResourcesStrategic In-house

Do In-HouseNeed to Check

SW and/or PhysicalDestruction

Plenty of ResourcesStrategic In House

Do In-HouseNeed to Check

Barcode serial #sAsset tags

Transfer ownershipRecycle Domestic

Global Reman/ReuseNo Reuse

Domestic Only

1 time pickup once per year

QuarterlyWeekly Monthly

Asset Retirement Program – Development of Continuum


Asset Auditin

g

Serial N

umber

Asset Tag

Data

Destructio

n

Inside Pickup

Packing

Transportatio

n

Logistics Recycling

Reuse

Resale

Sample LifeSpan Service Programs

Bringing ‘Peace of Mind’ to IT Asset Retirement

•Reduce your Liability in 3 Areas:

– Environmental

– Data Privacy

– Reputation


Vito Arminio

[email protected]

858-729-0289


This presentation was given during the Spring, 2012 Data Center World Conference and Expo. Contents contained are owned by AFCOM and Data Center World and can only be reused with the express permission of ACOM. Questions or for permission contact: [email protected].

Interested in data center security and disaster recovery?

Learn about the Security and DR track at theupcoming Fall 2012 Data Center World Conference at:

www.datacenterworld.com.


http://www.datacenterworld.com/

Business

Best Practices To Mitigate Risks When Retiring IT Assets