Policy Points: Used Equipment Sold with Sensitive Data

In September 2011 a security researcher purchased some used network equipment for about $30 USD from  Ebay.    Once the equipment was delivered, the researcher found that it used to belong to the UK National Air Traffic Services (NATS) and that loads of sensitive data was still stored on the device, including network IP addresses and passwords.  This is but the latest in a string of similar incidents (See footnote) related to the same problem:  Many businesses either (1) do not effectively erase electronic data at all or (2) forget to include the wide variety of modern equipment that has storage and needs to be effectively erased.

Combating this common problem involves implementing two types of security policies. First is the obvious policy that requires all types of storage devices to be sanitized before reuse or disposal.  This is the common security policy that you might find called for in many regulations.  Although considered common practice, this policy still requires that the organization specify the methods that must be used and the process be documented.

Consider the following sample information security policy that has been part of Information Security Policies Made Easy for many years:

Policy:  The Information Security Department must maintain an inventory of all Company X computer and network equipment that has been taken out of commission. This inventory must also reflect all actions taken to clear memory chips, hard drives, and other storage locations in this same equipment of all stored information.

Second is an additional, related policy that requires the organization to maintain an accurate inventory of all equipment that may store sensitive information.  This second policy is often overlooked, but helps management stay aware of the variety of new devices that have hard-drives or other forms of permanent or semi-permanent storage.  This policy could be implemented as part of an asset inventory, or as part of the process IT uses to issue new equipment.

Policy:  The Information Security Department must maintain an inventory of all Company X computer, office and network equipment that will store sensitive information.   

Together these policies will dramatically reduce the risk of equipment being accidentally lost in the shuffle of today’s complex IT environment.

Related Incidents involving discarded equipment:

Photocopier Disk Contains Sensitive Information

Used Blackberry Sold for Data

NASA Disk Not Cleaned

Policy Points:  Is there a policy for that?

This is part of series of articles where we discuss real-world incidents that were caused by missing or incomplete information security policies.    In most cases, the incident could have been avoided if the organization had implemented one or two security policies found within our standard security policy library.