CISO Data Destruction Risk Assessment
Whenever an organization disposes of IT assets such as computer hard drives, cell phones and other storage media (CDs, USB drives), a policy needs to be in place to ensure that any data stored therein is adequately destroyed. These policies are created with CISOs using Risk Assessment and Cost-Benefit practices.
These policies must be created within the organization and enforced in order to remain effective and compliant. When creating a policy for data destruction, it’s important to consider all of the relevant factors, so try to involve voices and opinions from different branches of your organization.
The Risk Assessment considers the probability or likelihood of an negative event occurring and the consequences or impact of such an event. Data Breach due to lost hard drive:
Probability: Extremely low if drive is shredded. High probability if erased/wiped due to human error.
Impact / Consequences: Critical to the organization.
The goal of the Cost-Benefit analysis is to identify the optimal level of risk reduction at the best value possible – cost efficient.
Costs: $5.00 per drive
Benefit: Low probability of data loss or breach
CISO Cover: Using a NAID Certified vendor (vetted) to physically shred drives while witnessed by an employee (verified) in compliance with NIST 800-88. Documented with a detailed Certificate of Destruction.
NIST 800-88 Guidelines
Step One: Categorize the impact or consequence of a data breach associated with a lost hard drive (low, medium or high).
Step Two: Chose your data destruction process accordingly.