Whether erasing or destroying data to meet compliance, recycle resources or to decommission old equipment, many companies choose to outsource asset disposal to third parties to minimize cost. Choosing an IT Asset Disposition (ITAD) service can be difficult. Making the wrong decision could mean facing a costly data breach incident and fines for not meeting regulatory compliance. Regardless of your industry, there are a few best practices you can follow when choosing an ITAD service provider to dispose of sensitive data.
1. Request Certificates of Sanitization (CoS)
NIST’s guidelines regarding media sanitization state, “a certificate of media disposition should be completed for each piece of electronic media that has been sanitized.” This certificate is often referred to as a CoS. The certificate should include details such as the serial number, media type, media source and description of the sanitization method. To see more, refer to NIST 800-88. According to IT Renew, a leading ITAD vendor, “Certified data erasure and serialized asset reconciliation eliminates physical data breach risks.”
2. Ensure Documentation will be Supplied
While having an audit trail that shows proof of erased data along with a log of defects and failed locations with serial numbers was always a good idea, it’s going to be more important than ever. Under the GDPR going into effect next month, businesses must be able to show proof of data erasure for EU citizens, and show a clear audit trail to be in compliance. They should also be able to provide documentation of the chain of custody of your assets when undergoing disposition. Under GDPR, businesses will also face larger fines for data breaches. Under this new regulation, the business who owns the data, referred to as the data controller, is just as responsible for the data as the ITAD, the data processor in this case.
3. Ensure They Can Prove Compliance
What standards does the potential service provider follow? NIST 800-88 or D.O.D. 5220.22? Hopefully they are familiar with both standards. Asking about employee training can help you gain more insight into the company’s processes. There’s no such thing as an official certification for these standards, so making sure you ask about their processes and ensuring they can provide all the documentation mentioned above will help you be sure they adhere to these data destruction standards. If they follow these standards and are able to provide all the documentation, this will also help you ensure you are in compliance with other industry standards your company might be required to follow, such as HIPAA, PCI and SOX. If an ITAD vendor holds any ADISA certifications, this is also a good sign they can meet your compliance standards.
4. Check Their Background
Once you narrow it down to a couple of potential providers, be sure to request customer references and follow up with them. Also, make sure the company is insured. This will reflect how prepared they are to assume responsibility should something happen to your data. Lastly, investigate their staff. Are they background-checked? What kind of security training have they received?
5. Request an Explanation of Methods
Do not use a provider who is not willing to explain their process for data erasure or data destruction. A best practice is that the provider begins with a digital discovery process to locate the data that should be destroyed. This is important to find data recorded to multiple locations for fault tolerance. Ask if the asset tracking and data erasure platforms interface. This will reduce likelihood of errors. Inquire about their methods for erasing data from various types of resources – SSD, HDD and RAID.
Erasing data while the resources are still on site and in cabinet is the lowest-risk process. If you must ship your assets offsite for destruction, be sure you retain a record of the chain of custody and obtain all the details of the process from the service provider beforehand.