Disposing of or recycling old computer hardware, also called decommissioning, poses a cybersecurity risk if any data storage components are not erased or physically shredded prior to recycling. Examples of at-risk computer hardware includes desktops, laptops, tablets, servers, network switches, smart phones, hard drives, USB drives, or any electronic storage device.1
Steps that organizations can take to decommission and dispose of hardware include ensuring devices and media are securely erased and then either securely destroyed or recycled; ensuring that inventories are updated to reflect decommissioned device status, and media ready to be decommissioned; and ensuring that data privacy is protected via proper migration to new systems or total data destruction.
Removing information from computing devices is called clearing. The National Institute for Standards and Technology (NIST) defines clearing as a form of media sanitation that does not allow information to be retrieved by data, disk, or file recovery utilities. It also must be resistant to keystroke recovery attempts from devices such as a keyboards or mice, and from data scavenging tools.
For magnetic devices such tape storage, hard drives, and USB drives, degaussing or demagnetization by exposing them to a strong magnet to destroy any recorded bits is also a form of media sanitation or clearing. Degaussing destroys the device information and the firmware that makes the device run.
Finally, Cryptographic Erase (CE) is also a sanitization technique that can be used when data is encrypted and stored on media. With CE, media sanitization is performed by permanently erasing the cryptographic keys used to encrypt the data versus sanitizing the storage locations on media containing the encrypted data itself.
CE techniques can sanitize media quickly and support partial sanitization, also referred to as selective sanitization with applications for cloud computing and mobile devices. If data erasure verification cannot be performed, organizations should use alternative sanitization methods that can be verified.
The Need for Hardware Disposal
Improper disposal of computer hardware and media that may contain sensitive data such as financial information or protected health information (PHI) puts organizations at risk for data breaches and cyber-attacks.
Media sanitization and destruction, both physical and virtual, is also a key element in assuring confidentiality. Confidentiality is defined as preserving authorized restrictions on information access and disclosure, including protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.
Information security concerns regarding information disposal and media sanitization resides not in the media itself but in the recorded information. All electronic media should be assumed to contain information commensurate with the security categorization of the system’s confidentiality.
Technical Framework Hardware Disposal Services
Hardware Disposal Services are essential to ensure confidentiality and the unauthorized disclosure of information to minimize cyber-incident damage, downtime, and organizational losses. Technical Framework offers comprehensive hardware disposal and data destruction services to minimize the risk of data breaches or credential thefts. Technical Framework also implements and maintains hardware disposal and data destruction capabilities best practices to help clients ensure their IT security, productivity and regulatory compliance.