CISO Data Destruction Risk Assessment

CISO data destruction cost benefit and risk assessment

Whenever an organization disposes of IT assets such as computer hard drives, cell phones and other storage media (CDs, USB drives), a policy needs to be in place to ensure that any data stored therein is adequately destroyed.  These policies are created with CISOs using Risk Assessment and Cost-Benefit practices.

These policies must be created within the organization and enforced in order to remain effective and compliant.  When creating a policy for data destruction, it’s important to consider all of the relevant factors, so try to involve voices and opinions from different branches of your organization.

Risk Assessment

The Risk Assessment considers the probability or  likelihood of an negative event occurring and the consequences or impact of such an event.  Data Breach due to lost hard drive:

Probability:  Extremely low if drive is shredded.  High probability if erased/wiped due to human error.   

Impact / Consequences:  Critical to the organization.

Cost-Benefit Analysis

The goal of the Cost-Benefit analysis is to identify the optimal level of risk reduction at the best value possible – cost efficient.

Costs:  $5.00 per drive

Benefit: Low probability of data loss or breach

CISO Cover:  Using a NAID Certified vendor (vetted) to physically shred drives while witnessed by an employee (verified) in compliance with NIST 800-88.  Documented with a detailed Certificate of Destruction.

NIST 800-88 Guidelines

Step One: Categorize the impact or consequence of a data breach associated with a lost hard drive (low, medium or high). 

Step Two:  Chose your data destruction process accordingly.

NIST Sanitization Decision Flow Chart