Asset Disposal and Information Security Alliance. John Sutton and Steve Mellings 17 th May 2012 Objectives of todays event 1 Introduce delegates to asset disposal and outline the compliance and practical issues. 2 Outline how delegates can mitigate risk from this process through the development and implementation of policy. Todays Programme. 9.30am 9.45am Registration and Coffee 9.45am 10.30amIntroduction to asset disposal and regulatory requirements Speaker: Steve Mellings ADISA 10.30am-11.30pmTranslating legislative requirements into meaningful policy. Speaker: John Sutton - ADISA 11.30am 12.00pm An overview of the IT Asset Disposal Industry by an ADISA certified member Tier 1 Asset Management Limited 12.00pm 1.00pmLunch and Q & A - Introduction to ADISA. - What is Asset Disposal? - Regulatory and Legal Requirements within disposal. - The state of the UK IT disposal Marketplace. - What happens when disposal goes wrong? Part 1 Introduction to ADISA. Founders John Sutton and Steve Mellings. Launched in October To regulate the UK ITAD Industry. To promote IT Asset Disposal as a professional IT security industry. To assist data controllers in better understanding and addressing risks within disposal. Advisory Council of 22 leading experts. UK ITAD Standard introduced in January Adoption by 13 UK companies in 2011 with 22 companies now working towards certification. Non-Country specific standard introduced in Auditing in 12 countries in Speaking to UK, US, Canadian and Australian Governments. For 2012 launching end user services. What is asset disposal? Any situation where the data controller transfers custody of an IT asset to a third party for management or processing whether on a temporary or permanent basis Regulatory and Legislative pressures Data Protection Act 1998 FSA Guidelines. Bar Council Directive. PCI DSS Compliance. HMG IA Standard No. 5 - Secure Sanitisation of Protectively Marked or Sensitive Information Copyright Designs and Patents Act 1988 Waste Electrical and Electronic Equipment (WEEE) Directive Official Secrets Act 1912 Human Rights Act 2000 Computer Misuse Act 1990 Regulation of Investigatory Powers Act 2000 The Lawful Business Practice Regulations 2000 Environmental Information Regulations 2004 What does the Regulator think? What does the Information Commissioner Think? The Information Commissioners Office is soon to release a set of guidance notes for asset disposal which will state that the data controller must: Have a policy document and that document must be fit for purpose. Have a contract in place with the service provider with clearly designated responsibilities. Evidence of a thorough vendor selection process and vendor holds relevant industry certifications / standards. Stipulate that the correct tools which are fit for purpose are used for the act of sanitisation. Have evidence of vendor management and auditing. Two simple actions equal compliance. 1 Ensure all data is sanitised. 2 Ensure your assets dont propagate the e-waste problems. Why is this such a problem??? Issues within the UK ITAD Marketplace. ITAD Problems -Largely Unregulated. -No barriers to entry. -Highly Competitive. -Service deemed as a commodity. -Lack of awareness. -Huge variation in quality. -Weak or non-existent value proposition. End User Problems -Poor understanding of problem. -Corporate and Individual apathy. -Poor perception of disposal as a genuine discipline. -Decision making / ownership sits in various places within the business. -Central policy is flawed. -Vendor selection, management and value is low. -Often viewed as an after thought. Why should data controllers take Asset Disposal Seriously? Data Breach Brand Erosion Reputational Damage Regulatory Action Legal Compliance Data Breach and uncontrolled risk taking. ..and more!! Ethical Re-cycling? One of thousands of Nigerians involved in repairing and reselling imported used electronic equipment. Unfortunately much of the imported electronic equipment cannot be repaired and is dumped instead. 2006 Basel Action Network (BAN) Why are illegal exports an issue? UK Environment Agency Regulatory Action. Zurich FSA Fine of 2.27m 2010 HSBC FSA Fine 3m 2008 Norwich Union FSA Fine 1.6m 2007 Environment Agency took court action against 10 companies. Plymouth City Council Environment Agency Fine 2010 ICO record fine of 375,000 (currently pending appeal) Morgan Grenfall Paul McCartney 2001 NASA Global Coverage 2010 Lockheed US Missile Defence Information 2009 Ford New Design for unreleased Ford Ka 2009 Citi Bank and various NHS Trusts / Council BBC TV Panorama, Inside Out and Blood Sweat and Tears Brand Erosion / Reputational Damage. Criminals are targeting our data. The value is in the data we are in the information age The theft of data is at the heart of computer crime All data has a price Russian Bot Net. Flea Markets in Africa - Poor Industry - Low level of understanding from the data controllers community - Increased Regulation - Evidence of disposal going wrong - Criminals are targeting us End of Part 1 All Bad News!! Part 2 How to write meaningful policy. Stage 1: Take control Have written policies and proper implementation. Stage 2: Be prescriptive Develop an approved specification for IT Asset Disposal. Stage 3: Use the experts Utilise trusted, expert service providers. Stage 4: Report, audit and measure Verify that the process has been adhered to. Key steps in IT Asset Disposal. Stage 1 : Take Control. Understand the problem. Write policy to manage risk. Implement policy. - Magnetic Hard Disk Drives (HDD) - Solid State Drives (e.g. NAND Flash) - Hybrid Drives - Magnetic Tape - Optical (DVD & CD) Understanding different media types Solid State Drives (SSD) Uses non-volatile Flash-based memory technology No moving parts Much faster boot time 7200 RPM magnetic HDD 108 seconds Solid State 21 seconds Same form-factors as HDD (e.g. 2.5 and 3.5) More expensive SSD $/Gb HDD 0.05$/Gb (3.5) 0.10$/Gb (2.5) Solid State Drives Vulnerabilities Secure Erasure HDD data-wiping products do not sanitise SSDs Wear levelling In-built erasure utilities often badly implemented Encryption-on-the-fly Depends how well the encryption key has been implemented Hybrid Disk Drives Uses non-volatile cache (up to 4Gb) Faster boot and resume 90% power saving when powered down Longer life (MBTF) Hybrid Drives Vulnerabilities Sanitisation Issues Magnetic media sanitisation processes (data wiping and degaussing) do not work on SSD technologies Requires separate sanitisation processes for Magnetic HDD Flash-based cache Vulnerable to overlooking the contents of flash-based cache Degaussed HDD becomes unreadable Possibly up to 4Gb of data left in cache Understand options for data sanitisation. -Delete removes indexing and marks area available for overwriting. -High level format. -Low level format. -Software Overwriting. Is this the solution? -G List -Host Protected Area (HPA) -Device Configuration Overlay (DCO) -Certified or approved software. -CESG approved Tabernus, Blancco, Kroll Ontrack etc -Physical Destruction. -Degaussing. -Crushing / Drilling / Hammering etc. -Shredding. -Incineration. How to develop your written policy? Categorise the data at risk. To ensure the end point sanitisation is commensurate to the risk level of data breach. Determination of Business Impact Levels. Threat analysis. Who are you protecting against? What is their capability? Risk Assessment. Must be included within your overall Security Policy. Implement your Policy. Ensure that all staff know the approved specification for IT Asset Disposal. What? (Approved tools for use on each media type) Where? (On-Site off Site?) Who? (Approved vendors) Vendor Selection. Asset Management. Where is the chain of custody started? How is it managed ? Reporting. How is verification carried out? Auditing. Ownership of process Disposal Champion. Stage 2 : Be prescriptive. Developing an approved specification for IT Asset Disposal. Example of an approved specification for IT Asset Disposal Risk Level Sanitisation of Magnetic Hard Disk Drives Type of Environment for Release Same or Equivalent Secure Less SecureAny Very Low File Shredding product Wipe with freeware product Wipe with COTS product Low Wipe with freeware product Wipe with COTS product Medium Wipe with COTS productWipe with CESG approved Low Level product Wipe with CESG High Level approved product Medium High Wipe with CESG Low Level approved product Wipe with High Level approved CESG product Degauss and destroy by shredding to 16mm High Wipe with CESG High Level approved product Degauss and destroy by shredding to 16mm Degauss and destroy by shredding to 6mm Very High Wipe with CESG High Level product Degauss and destroy by shredding to 6mm Destroy by incineration Stage 3 : Use the experts Find trusted partners to take the strain and deliver the service YOU want. Vendor Selection 647 IT Disposal Companies in the UK. Myriad of different backgrounds Scrap Metal. Logistics Facilities Management. IT Services Companies. Brokers. Specialists. Recyclers. Dont make price the main driver. Put contracts in place. Commit to working together. ADISA ITAD Standard Business Credentials. Logistics. Staff Vetting. Asset Management at every stage including: Physical security of the asset. Verifiable transfer of custody. Establishment and management of the chain of custody. Physical Security. Secure data sanitisation utilising independently verified tools. Adopting the core principle of promoting re-use wherever possible and then recycle using best current practice / process. Stage 4 : Report, Audit, Measure How do you know that the process has worked? Creation and management of the Chain of Custody Identify what you are disposing of before transfer of custody into the hands of service provider. (Off or on-site) Verify that audits of good processed matches those of goods issued. Test the validity of any certificate of data destruction. What does it mean? What does it prove? Ensure you know all third parties involved and when your assets are handed on. Manage and Audit your partner. In our 2010 survey only 25% of ITADs were visited by their customers BEFORE work commenced. In our 2010 survey only 20% of ITADS were audited by their customers. Audit them to ensure they do what they claim they do. Assess their credentials against industry standards. (Use ours to bench mark them) Visit them and engage with them. Summary Asset Disposal is an infrequent but constant process for every business but is poorly understood. Take control of the risk you are allowing into your disposal route via the development of a approved specification for IT Asset Disposal. Develop your own internal processes to create and manage the chain of custody. Use the right companies ADISA certified companies. Audit, Manage and Measure Dont trust KNOW. Any questions? END OF PART 2 Part 3 will see xxxxxxxxxxxxxxx introduce themselves and highlight how, as a service provider, they can help your companies address issues which you may or may not feel exist within your existing disposal supply chain.