MAHA Global and IPR: Do Actions Speak Louder Than Words?
Best Practices To Mitigate Risks When Retiring IT Assets
1. Interested in data center security and disaster recovery?
Learn about the Security and DR track at the
upcoming Fall 2012 Data Center World Conference at:
www.datacenterworld.com.
This presentation was given during the Spring, 2012 Data Center World Conference and Expo.
Contents contained are owned by AFCOM and Data Center World and can only be reused with the
express permission of ACOM. Questions or for permission contact: jater@afcom.com.
3. Bringing ‘Peace of Mind’ to IT
Asset Retirement
• Reduce your Liability in 3
Areas:
– Environmental
– Data Privacy
– Reputation
Confidential – not for distribution without LifeSpan’s written consent.
4. Equipment Retirement -
Issues
• E-waste is the fastest growing portion of the entire
waste stream, growing two to three times faster than
any other waste stream. It is the largest single source
of lead in municipal solid waste (about 30%).
The United States faces a unique challenge regarding
the disposal of obsolete computer equipment on a
national and global scale.
Confidential – not for distribution without LifeSpan’s written consent.
5. Asset Retirement -
Drivers
• Increased focus on asset management Must
manage TCO
• Environmental liability / data security Detailed
reporting and auditing
• Multiple locations, distributed IT equipment Complex
and costly logistics
• Greater corporate and environmental regulations
Increased scrutiny and accountability for tangible
and intangible assets.
Confidential – – not for distribution without LifeSpan’s written consent.
Confidential not for distribution without LifeSpan’s written consent.
6. IT Asset Management Process
Sources: Gartner, IDC
Relative Cost
Maintenance
Procurement
Deployment Retirement
Requisition
Beginning of lifecycle End of lifecycle
Confidential – not for distribution without LifeSpan’s written consent.
7. Why Can’t We Just Throw it
Away?
• All E-Waste types
– Computers & Monitors
– Printers & Peripherals
- Complex Circuitry Items
– Materials Toxic to the Envt.
• Lead
• Mercury
• Cadmium
• Gallium Arsenide
• Barium
Confidential – not for distribution without LifeSpan’s written consent.
8. Bringing Peace of Mind…
• Department of Commerce report estimated that in
2006, 50% - 70% of electronic waste was exported
to developing countries
Confidential – not for distribution without LifeSpan’s written consent.
9. Environmental Risks
• Comprehensive Environmental Response Compensation
and Liability Act (CERCLA)
– a.k.a. “Superfund”
– Certificates of Recycling –”certification”
– Deep Pockets Ruling
• State by State Regulations
– What’s legal in one state is illegal in another
• A ‘Certificate of Recycling’ is meaningless
• Ask for Pollution Liability Insurance - $5 Million
Confidential – not for distribution without LifeSpan’s written consent.
14. Accounting System – Social Security Number
Confidential – not for distribution without LifeSpan’s written consent.
15. Data Destruction Dilemma
Revenue or Neutral/Cost
• Physical Data Destruction
– Crushing – HDC
– Shredding – Service / Equipment
– Visual verification
• Sanitization
– Single Pass, Triple Pass, 7 pass, 29
pass, zillion pass
– DBAN
– Active Killdisk
– Ontrack – Data Erasure
– Blancco
• Degaussing
Confidential – not for distribution without LifeSpan’s written consent.
17. Profile Privacy Breaches
• Identity Theft - On the rise
– 22.4 Million Sensitive Records Breached in 2011
– Costs $53 Billion annually
– Costs $4,800 per individual
– Costs public companies – 5% stock value
• Sony
• Epsilon
• HealthNet
Confidential – not for distribution without LifeSpan’s written consent.
19. Bringing Peace of
Mind to Data Privacy
• Look for a NAID Certified Service Provider
Confidential – not for distribution without LifeSpan’s written consent.
20. Considerations for Process Enhancements
• Chain of Custody
– How long do drives sit around before destruction?
– Where/How are they stored?
– Can they accidentally be picked up for reuse?
• Quality Assurance on Sanitization
– How are disks validated? (Every day, lot, each… never)
– Forensics Software?
• Encase
• RTT Toolkit
– Different types of interfaces – SCSI, FibreChannel
• MOST IMPORTANT: Process and Controls – Its Usually Human
Error
Confidential – not for distribution without LifeSpan’s written consent.
21. Considerations for Process
Enhancements
Where things go wrong:
Physical Destruction
• No timely destruction - they sit around
• Mistakened for wiped drives –so not crushed
• Inadvertent reuse
Sanitization
• Little or no QA/QC
• False negatives from faulty hardware
• Interfaces
• Mistakened wipe drives
Confidential – not for distribution without LifeSpan’s written consent.
22. Considerations for Process
Enhancements
NAID (Preliminary)
•Physical Destruction Process Outline:
– IT, Surplus or Vendor Team removes
equipment from end user – transports
and places in secure area
– Equipment is cataloged
– Drive is removed and cataloged
– Immediately crushed
– Subsequent shredding for recycling
Confidential – not for distribution without LifeSpan’s written consent.
23. Considerations for Process
Enhancements
NAID (Preliminary)
• Sanitization Process Outline
– IT, Surplus, or Vendor Team removes equipment from end
user – transports and places in secure area
– Equipment is cataloged
– System is sanitized
– Forensics verification – manager, outside firm
– Labeled
– Drive is removed and cataloged
– System is sanitized
– Forensics verification – manager, outside firm
– Labeled
Confidential – not for distribution without LifeSpan’s written consent.
24. Solid State Hard Drive
Technology
Confidential – not for distribution without LifeSpan’s written consent.
25. Solid State Hard Drives
• Reverse Engineered to mimic Magnetic HD
Magnetic Architecture
• Flash Translation Layer
• Lack of G-List
SSD HD
• In the race to go to market,
SSD manufacturers were
inconsistent in their adherence FTL
to the SATA standard.
• This has rendered
wiping/sanitization software
unable to perform a conclusive
validation.
Confidential – not for distribution without LifeSpan’s written consent.
26. Are You Protected in the Event of a
Data Privacy Breach?
• Do they have sufficient insurance? $1M Errors & Ommissions
• Privacy Liability ($250,000)
– Notification/Credit Monitoring
– Public Relations Expenses
• Bodily Injury Coverage
– For those who claim emotional distress & mental anguish
• Hammer Clause (for frivolous suits)
• You shouldn’t have to worry about if a claim will be paid
Confidential – not for distribution without LifeSpan’s written consent.
27. Data Privacy – Have You Considered…
• Digital Copy Machines contain Hard Drives
– Capture image of every page copied
• High-end Printers contain Hard Drives
• Smartphones & Blackberries
– Should be treated just as carefully as loose hard drives
– Sanitize Data/Shred SIMM Card
Confidential – not for distribution without LifeSpan’s written consent.
28. Reputation Risk
• Many nationwide companies rely on smaller local
recyclers, creating inconsistent practices on how
materials are retired from region to region.
• Often “sham recyclers” simply cross dock and export E-
waste to non OECD countries.
• Invariably, companies are unaware that their E-waste
has not been legitimately broken down and recycled,
but merely exported to countries that are unequipped
to process it properly.
• Environmental watchdog groups are producing exposes
in order to make an example out of abhorrent
companies.
Confidential – not for distribution without LifeSpan’s written consent.
29. Free E-Waste “Recycling”
Source: Basel Action Network
BAN.org
Confidential – not for distribution without LifeSpan’s written consent.
30. Environmental - Global “Recycling”
Processing Residue along Lianjiang River
Hydrochloric / Nitric Acid Baths
Source: Basel Action Network
BAN.org
Confidential – not for distribution without LifeSpan’s written consent.
31. Reputation Liability:
E-Waste ‘Sting’ Operations
60 Minutes Nov 9, 2008
Frontline, June 23 2009
Confidential – not for distribution without LifeSpan’s written consent.
33. Look for a Nationwide ‘Footprint’
Recycling
Recycling / Sorting
Sort / Audit
Confidential – not for distribution without LifeSpan’s written consent. 9/24/03
34. Asset Retirement Program–
Elements to Consider
1 time pickup Weekly
• Frequency once per year
Quarterly
Monthly
0 to 1 Pallets or 2 to 4 Pallets or
• Space E cycle Box E cycle Box
½ to Full Truckload
Coastal, Regional,
• Location Single Location Campus
National
Plenty of Resources Need Resources Packing materials
• Packing Resources to Pack Sometimes Inside Removal
• Data Security Plenty of Resources
Strategic In-house
Do In-House
Need to Check
SW and/or Physical
Destruction
Plenty of Resources Do In-House Barcode serial #s
• Audit Strategic In House Need to Check Asset tags
• Recycle Transfer ownership
Recycle Domestic
Global Reman/Reuse
No Reuse
Domestic Only
Confidential – not for distribution without LifeSpan’s written consent.
35. Asset Retirement Program –
Development of Continuum
i ng up on ng
dit er ta n ick rt at i y cli se
u
t A umb Da uctio e P i ng po tics c eu l e
se N tr id k s Re R sa
As rial t Ta
g es I ns P ac an is Re
D Tr Log
Se sse
A
Sample LifeSpan
Service Programs
Confidential – not for distribution without LifeSpan’s written consent.
36. Bringing ‘Peace of Mind’ to IT
Asset Retirement
• Reduce your Liability in 3
Areas:
– Environmental
– Data Privacy
– Reputation
Confidential – not for distribution without LifeSpan’s written consent.
38. Interested in data center security and disaster recovery?
Learn about the Security and DR track at the
upcoming Fall 2012 Data Center World Conference at:
www.datacenterworld.com.
This presentation was given during the Spring, 2012 Data Center World Conference and Expo.
Contents contained are owned by AFCOM and Data Center World and can only be reused with the
express permission of ACOM. Questions or for permission contact: jater@afcom.com.
Notas do Editor
We audit our Denver facility every quarter. Other DAM’s are once a year for insurance and ECHO