Current Filter: >>>>>>

   

• Who should you turn to, in order to get this right?
• What are the possible consequences of selecting the wrong vendor to manage this process for you?
• And how do you know who you can really trust to dispose of your data - and possibly also hardware - professionally and ethically?

DEEP INSIGHTS
By the time this article is published, ADISA will have undertaken its 200th audit and can certainly claim to have a deep understanding of asset disposal. "During this journey, we have seen great examples of where companies get asset disposal right, but sadly all too often examples of where they get it wrong," says ADISA director Steve Mellings. "Perhaps the most recurring issue we have seen is that the vast majority of business clients still believe that a trust model is sufficient to control their downstream."

A recent survey showed that less than 30% of clients manage the engagement in accordance with the Information Commissioner's Office guidelines. "Contracts, audits and clear service specifications should really be routine," adds Mellings, "but sadly there is a tendency to allow retired assets to leave with only cursory scrutiny of the companies to whom you entrust terabytes of personal and corporate data.

"We have also seen that business clients are still preoccupied with magnetic hard drives. There are countless companies that satisfy themselves with a comfort blanket of certificates of hard drive destruction - or a confident position that 'we're okay, because we shred our hard drives'," he continues. "A failure to understand that data resides on many different media is a common issue." The industry itself is maturing quickly and there is a clear movement from those who just want to recycle or sell old equipment to those who are creating a genuine service, he adds.

"However, the sector is still awash with huge variations in acceptable practice. In our time, we have seen practices including: allowing drives that have failed a wipe to be shipped downstream for repair before being sold without client consent; damaged phones being sold for repair (often overseas and still with data on); assets being triaged at point of entry and only those that have value being processed, whilst the remainder are sent (intact) downstream for 'recycling'.

"Finally, we have seen certificates of data destruction being issued before the assets have been processed and, in one case, certificates of hardware destruction issued to a customer when the hardware itself was right in front of me. Of course, these get weeded out within the certification process, but they persist in some quarters of the sector."

So, while there is concern from businesses that they need to protect their data at end of life, poor practice is endemic, from both end users and within many parts of the industry, which is so basic that the starting point for improvement doesn't need to be particularly sophisticated, Mellings argues.

"Improvement should be started at C Level by identifying this, perhaps unfashionable, business process as being a critical element within the overall data protection battlefield. By raising the profile of this process, improvements can be made by greater appreciation and understanding. Speak to the leading suppliers of products and services in this sector and learn from them. They have the expertise and focus, which can help you ensure your name won't be in the headlines next time an asset with data on is purchased off an auction site."

Page   1  2