While more than a month has gone by since the devastating Hurricane Sandy hit the East Coast, the photographs and videos of the incredible destruction will be hard to forget. During a disaster, the priority must be the safeguarding of life, but it is important to also think about safeguarding information. I can’t even begin to imagine how much data (in printed or electronic form) has been damaged by the floods and fires that resulted from this storm. We should all evaluate our own ability to secure critical information technology resources from the threat of another disaster.
Information management policies and procedures are important to ensure the confidentiality of an organization’s information. Proper disaster planning begins with documented information management policies and procedures, including identification, classification, handling and destruction.
Information identification should be part of a larger asset management system that allows for the tracking of information resources throughout their lifecycle. As part of an information management program, individuals and organizations must identify the information they have, its sensitivity, and the locations and/or systems in which the information is stored and processed. With the extensive use of information technology today, sensitive data could reside in many different types of systems including printers, copiers, scanners, workstations, laptops, cash registers, payment terminals and others.
The classification of information begins with policies that ensure all members of an organization understand their roles in regard to information management. It is not uncommon for employees to believe that the IT department is responsible for securing the organization’s information and the IT group owns the data. Organizations must ensure that all information has a classification, an owner, and a custodian assigned. The business unit that creates or uses the information is often the best choice to assign a classification and own the data. When making these assignments, organizations should consider the impact that the loss or inappropriate disclosure of the information would have on the organization’s business processes. Many organizations develop an information classification system that includes four levels: Public, Internal Use Only, Confidential and Restricted. The exact classification levels used can vary based upon organizational requirements. The fundamental requirement should be to identify classification levels that support business requirements and provide an ability to ensure proper safeguarding of sensitive information.
Organizations must also define proper handling procedures for information resources. Typically, the handling processes are defined based upon the classification level of the resource. The higher the sensitivity, the more stringent the handling procedures should be. For example, many organizations define handling procedures that require that the most sensitive information be encrypted at rest and in transit, and may prohibit the storage of highly sensitive information on USB flash drives. Handling procedures should be designed to minimize the risk of loss or improper disclosure, balanced against the needs of the business units.
Failure to properly sanitize and destroy media may result in the loss of confidentiality for an individual or organization’s data. For organizations, this could be considered a breach, subject to state data breach laws, and individuals could be at higher risk for identity theft. It is therefore imperative that information management policies include destruction or disposal. Proper destruction methods for information and media on which it is stored vary based upon the sensitivity or classification of the information. For many organizations, physical destruction of media may be sufficient to protect the confidentiality of the information contained on the media. Physical destruction can be accomplished through shredding. Paper, magnetic tape, optical discs, and hard disk drives can all be shredded making the recovery any data from the media very unlikely. In some cases however, organizations may want to use additional steps before physical destruction including degaussing magnetic media and/or rewriting data to the media over multiple passes to ensure the original data is not recoverable. Many organizations have existing media destruction policies which are often implemented through the use of third parties which specialize in media destruction.
In the case of Hurricane Sandy, the extensive flooding and fires resulted in significant amounts of damage. Organizations impacted by this storm should have ensured for the proper disposal of damaged and destroyed information resources. For example, it is likely that there are many computer systems that are no longer serviceable because of flooding; however, it is likely that that recoverable data may still reside on the hard disk drives in the computers. The equipment must be properly disposed of to prevent the possibility of improper disclosure.
I sincerely hope that those individuals and organizations impacted by Hurricane Sandy have recovered, and that their data has remained secure. And for those of us lucky enough to not be impacted by this storm, let’s ensure that we are properly prepared for the next disaster that may come our way by strengthening our information management procedures now.
See original article at Forbes CIO Network.