UK Conference 2018_Hardware Asset Disposal best practice in 2018_Steve Mellings
1. The ITAM Review UK Conference 2018
Hardware Asset Disposal
Best Practice
Steve Mellings ADISA and DPG
2. The ITAM Review UK Conference 2018
Agenda
• Business Case for Best Practice
• Importance of Hardware Asset Disposal
• Best Practice Internally.
• Best Practice Externally.
3. The ITAM Review UK Conference 2018
Business Case for Best Practice
Each company must identify its own business imperatives / drivers.
Some Suggestions:
• Financial
• Operational Efficiency
• Latent drag due to poor control mechanisms.
• Regulatory / Legal Compliance
• Risk Management
• Competitive Advantage
• Customer Confidence
• IP Protection
Iden%fy your primary and secondary objec%ves
4. The ITAM Review UK Conference 2018
Business Case for Best Practice
5. The ITAM Review UK Conference 2018
Business Case for Best Practice
6. The ITAM Review UK Conference 2018
What is THE biggest challenge?
PERCEPTION
7. The ITAM Review UK Conference 2018
Why is Hardware Asset Disposal Important?
• Data
• Brand
• ££ $$ €€
• Environment
8. The ITAM Review UK Conference 2018
Starting with a definition
“Any situa*on where the organisa*on
transfers custody of an ICT
asset to a third party for management
or processing, whether on a temporary
or permanent basis.”
10. The ITAM Review UK Conference 2018
Best Practice Internally
Step 1: Policy
Why? No policy = No control.
No control = Non-compliance
Step 2: Departmental Process
Why? Ignorance is no excuse
Repetition = Control
Step 3: Assessment and Audit
Why? What’s happening at the coal face?
11. The ITAM Review UK Conference 2018
Step 1: Policy
Should include:
Who? Is responsible.
Where? Do we do this?
What? Is included?
How? Do we achieve our objectives?
Assurance? How can I prove it?
13. The ITAM Review UK Conference 2018
Step 1 : How do we achieve our objective?
Media Type SaniCsaCon
Method
Approved means
of SaniCsaCon
Magne%c Hard
Drive
HMG IA5 CAPS Approved
Product
Solid State Drive Purge
NIST 800-88 Rev 1
ADISA Tested
Product
Smart Phones
Android
BaNery removed
then destruc%on
8mm Shred
Smart Phones iOS Factory Default but
audit trail
ADISA Tested
Product
Magne%c Tape Destruc%on 8mm Shred then
Incinera%on
14. The ITAM Review UK Conference 2018
Step 2: Process
This will be dependent on your own business environment
but should include:
- Clear operational processes to ensure policy is complied with.
- Identified audit points to ensure compliance.
- Identified owners of the process.
- Evidence that process has been cascaded to key participants.
- Supported by training.
15. The ITAM Review UK Conference 2018
Step 3: Assessment and Audit
“Quis custodiet ipsos custodes”
16. The ITAM Review UK Conference 2018
Best Practice Externally
Step 1: Specification of Service
Why? The industry is replete with organisations who say one thing
and do the other.
Why? Law and regulation is all about control.
Step 2: Tender Process
Why? Thorough and professional vendor assessment.
Why? Lowest bid rarely provides the best service.
Step 3: Assessment and Audit
Why? What’s happening at the coal face?
17. The ITAM Review UK Conference 2018
Step 1: Specification of Service
Where? On-site / off-site.
How? Logistics.
Security Countermeasures? Eg Staff vetting
Controls? Chain of custody is key.
Sanitisation? By media type.
Vendor Requirements They are a DATA PROCESSOR
Contract
18. The ITAM Review UK Conference 2018
Step 2: Tender
Weighting?
Reference Objectives but please don’t weight price at the detriment of all else
Specification of Service?
Should reflect your own policy.
Credentials?
Certifications / Insurances / Permits
Performance Targets
Time to data safe
Contract
19. The ITAM Review UK Conference 2018
Step 3: Audit And Assessment
• Unannounced.
• Security of processing to include:
o Physical Security.
o Process Control and Contamination.
• Sanitisation
o Forensics on media
• Contract Compliance
20. The ITAM Review UK Conference 2018
What does good look like?
• Excellent Inventory Control.
• Proven means of sanitization.
• Excellent third party processing partner.
• Contracted and Controller.
• Reporting mechanism for assurance.
22. The ITAM Review UK Conference 2018
References
ICO
https://ico.org.uk/media/for-organisations/documents/1570/
it_asset_disposal_for_organisations.pdf
National Cyber Security Centre
https://www.ncsc.gov.uk/guidance/secure-sanitisation-storage-media
National Computing Centre
http://adisa.global/wp-content/uploads/2018/05/A9R3969.pdf
ADISA
https://adisa.global
23. The ITAM Review UK Conference 2018
Thank You
50 Brook Street, Mayfair, London, W1K 5DR, United Kingdom
www.dpgovernance.com www.adisa.global
sm@dpgovernance.com steve.mellings@adisa.global
Data Protection
Governance Ltd
Asset Disposal and Information
Security Alliance