• (0)

    ISO 27001 & ISO 22301 Blog

    Secure equipment and media disposal according to ISO 27001

    Think about the following scenarios:

    Printed documents (e.g., budget drafts, or client’s refused proposals) are no longer needed and used as scratch paper, or accumulated in waiting areas for removal.

    Defective equipment (e.g., CEO’s tablet, or project team’s notebooks) being discarded by maintenance staff, put directly in the trash, or sold as scrap.

    Equipment considered obsolete (e.g., a five year old server in good condition) sold to recoup part of the investment, or donated to enhance business image.

    In these situations, how would someone ensure that document/equipment recovery or reuse would not provide information that may compromise business activities or people’s privacy? In an Internet search, you can find cases where improper disposal of assets and documents was the root cause of the incident:

    • An organization’s hard drives were sold on the Internet containing thousands of confidential documents, employee names, Social Security Numbers, and confidential memos to the CEO
    • A disposed computer in a university contained names, social security numbers, and financial aid information of thousands of students
    • An organization was using recycled paper containing credit, debit card, and personal information, potentially exposing thousands of records

    Fortunately, ISO 27001 can provide some orientation and guidance on how to securely dispose of media and assets in ways which minimize the risks of exposing compromising information.

    Why bother with secure disposal?

    Asset and media disposal may appear to be simple activities, since we generally only dispose things that we deem no longer needed or not valuable. However, thinking about environmental recycling activities, you can see that what is worthless to someone can be highly valuable to someone else.

    The same applies to information. Some piece of information we consider not valuable can lead a competitor to gain a business advantage, a criminal to explore an organization’s weaknesses or, worse, cause damage to a customer or person’s life by using personal or private information to commit a crime posing as those persons.

    ISO 27001 controls and ISO 27002 recommendations

    With the objective to protect a business’ relevant information during its entire lifecycle, ISO 27001 provides two specific controls related to information disposal:

    • Whenever a media shall be discarded, the use of procedures should be considered to ensure proper information disposal (control A.8.3.2 – Disposal of media).
    • Equipment containing storage media shall be verified to ensure it is free of sensitive information prior to disposal or re-use (control A.11.2.7 – Secure disposal or reuse of equipment).

    As other forms of control, secure disposal should be supported by an organizational policy.

    Media disposal

    Regarding media disposal, ISO 27002 recommendations can be summarized as follows:

    Disposal procedures should be proportional to the information classification levelThe higher the classification, the greater assurance that information cannot be retrieved after disposal. Shredding or incineration of the media, or data overwritten, are examples of good practices.

    Clear identification of Information that will require secure disposal: By the use of watermark, or colored border, it is easier for someone to identify the information that should be securely disposed.

    Dispose media mixing different types: The greater the mix of different items (e.g., CD’s, HDD’s, paper, etc.) the harder is to recover a specific media, and more secure.

    Control access to accumulated media for disposal: A large quantity of non-sensitive information together can make it possible to retrieve sensitive information (aggregation effect). E.g., a great number of old published market reports put together may allow someone to figure out a trend related to a sensitive market strategy. Think about defining a short accumulation period or small storage volume to execute the disposal procedures.

    Keep traceability of sensitive disposed items: To ensure the items were properly disposed, you should keep log information listing, at a minimum, who performed the procedure, when, and what method was used.

    Media disposal recommendations

    Equipment reuse or disposal

    While the control A.8.3.2 deals with the information and the media where it is stored, the control A.11.2.7 is directed to the proper handling of equipment that makes use of the media, since sometimes it requires more specialized knowledge to access media or to protect it. Here is a compilation of ISO 27002 recommendations for these controls:

    Equipment verification prior to disposal or reuse: You should verify whether or not storage media is contained within the equipment (e.g., hard drive or memory chips). You could use a disposal checklist to ensure critical elements are verified.

    Use of non-retrievable methods: Physical destruction (e.g., by grinding or shredding) or overwriting techniques, with specific or generic patterns, should be used to perform disposal of highly sensitive information.

    Evaluation of damaged equipment: Sometimes damaged devices need to be sent to external parties to be repaired. In these situations, the device should be assessed for sensitive data to determine whether the items should be physically destroyed rather than sent for repair or discarded. ISO 31010 presents a good list of risk assessment techniques which can be used.

    Use of third parties

    Sometimes the volume of items, or the technical requirements for disposal, makes the use of specialized organizations a good option, but care should be taken in selecting a suitable organization. Criteria you should consider are how it manages its security, disposal methods used and experience with your industry. Be sure to include all this in the service contract. For additional recommendations, read 6-step process for handling supplier security according to ISO 27001.

    It can be trash for you, but may be treasure to someone else

    The value of information depends greatly on those who use it, and how it is used. Since it is virtually impossible to know how the information will be used after leaving the organization’s control, disabling media or the equipment which contains it can make recovery more difficult or prohibitively expensive. These precautions may help to prevent problems for the organization, its customers and employees.

    To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses, sign up for a 30-day free trial of Conformio, the leading ISO 27001 compliance software.

    Advisera Rhand Leal
    Rhand Leal
    Rhand Leal has 10 years of experience in information security, and for 6 years he has continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.