Subscribe

Adopt a disposal of information action plan

Sibahle Malinga
By Sibahle Malinga, ITWeb senior news journalist.
Johannesburg, 30 May 2016
Organisations should adopt a disposal of information action plan when disposing of data and hardware, says Xperien's Wale Arewa.
Organisations should adopt a disposal of information action plan when disposing of data and hardware, says Xperien's Wale Arewa.

The biggest mistake organisations make in IT asset disposal (ITAD) is procrastination.

Because many don't know how to adequately dispose data and hardware, organisations end up locking away old computers in a storeroom, which becomes a major security risk.

This was according to Wale Arewa, CEO of Xperien, speaking at the cyber crime, POPI and ITAD seminar last week. He discussed the security risks associated with storage of old computers in the warehouse, adding that employees may end up reusing old hard drives or stealing them, which defeats the purpose of ITAD.

"The POPI Act says the day you don't need the information, you should make a plan to get rid of it, and hence Xperien has established a disposal of information action plan which consists of a process for disposal of both data and hardware.

"The first thing organisations should do is to appoint an information officer, who will make sure the company is legally complying with the ITAD laws. This also allows the responsibility to fall on one person," explained Arewa.

Conducting an internal audit and assessment, he said, is also important in finding out what needs to be disposed of and where the loopholes lie. This audit, he continued, should be followed by creating a record or document source which will allow the organisation to create a chain of custody.

"If you have sensitive data that shouldn't be exposed, you need to sign it off to all the people who will be removing it securely out of the building, this record allows you to collect someone's signature, so that you can prove the assets have been moved from point A to B, and eventually to where the data is going to be destroyed," he pointed out.

Removing data securely is of utmost importance. There are three levels of disposal that organisations can opt for. These include physical shredding, sanitation and degaussing, explained Arewa.

"These different types of disposal methods come with three different levels of security. The type of security required by the company determines the disposal method selected.

"Physical shredding cuts the metal platters into tiny little pieces. This method offers maximum security as the metal platters cannot be put together again. The sanitisation method consists of digitally erasing the software from hard drives. Organisations prefer this method because it enables them to retain the value of their computers. This method provides a medium level of security because it still allows the company to reuse the machine," he revealed.

Degaussing, explained Arewa, is a quick method of sanitising the data but it also destroys the hard drive, offering maximum security. However this method reduces the residual value of your computer and is ideal for companies who prefer to completely dispose of their IT assets and don't want them returned back.

Dr Peter Tobin, consultant for IACT-Africa and CEO of technology solutions company PTC, says the POPI Act talks about what is reasonable and appropriate and what is organisational and technical regarding disposal of IT assets.

"The regulator is unlikely to take action against any organisation that has gone for physical destruction of disposing their information, or that has been systematic about degaussing, or that has gone for any sanitisation. This is because there is proof of diligence, that the organisation has taken reasonable steps to dispose information and should receive certificates for it," he points out.

Arewa notes acquiring a data destruction certificate for your audit is important to prove that the equipment was disposed of.

"The certificates are retained as a record and prove that the disposal of information has been conducted with due diligence. Once the equipment has been destroyed from an electronic information perspective, recycling should be the next step," he asserts.

Compliance with the National Environmental Waste Management Act of 2008, a green act which says we must consider the energy used to destroy and recycle items, ensures the environment is not polluted. Disposing of laptops and computers can increase your carbon footprint. The method of disposal may cause more damage to the environment, he warned.

"In the industry ideally we should recycle and take a typical computer, break it down to metal, plastic, glass ceramics and precious metals. We can then demanufacture them and take them to the various industries such plastics industries, metals industries to help in the value recovery," he said.

As part of the disposal of information action plan, Arewa also advised organisations to develop an incident response plan which is a self-policing plan aimed at reducing the likelihood of an incident taking place.

"The aim of this response plan tells you how to respond during a security compromise or a data breach. Making a mistake with data is bound to happen and if the organisation has a data incident response plan this will assist them understand what remediate action should be taken i.e. informing the clients whose data you have lost should be the first thing organisations should do," he concluded.

Share