Levi, Ray & Shoup, Inc.

The secrets you keep

10/6/2022 by Patrick Schmidt

In my last blog post, I began with the definition of “wonder.” In the text I marveled at the progress we have made from the early days of the microchip until now. But the hardware itself is not the only thing that leaves me in awe.

I am also amazed by the amount of data that is created, transmitted, and stored each day. All of that data needs to be secured.

It’s Cybersecurity Awareness Month, which means it’s the perfect time to talk about the security aspect of Asset Lifecycle Management. When it’s part of a comprehensive privacy and information security plan, Asset Lifecycle Management ensures any sensitive or confidential data stored on your equipment is protected from cradle to grave.

What is sensitive data? Privacy professionals normally classify data into four categories: public, internal, business confidential, and privacy restricted.

An example of public data is a website or advertising materials, and internal use could be something like sales plans or internal memos. Business confidential is more sensitive with items like company financials or trade secrets. Privacy restricted is the most sensitive and would include things like social security numbers and health records.

The types of data an organization handles will dictate the level of care necessary to protect the information and drive asset lifecycle choices.

For example, when I was working with a regional hospital in Minnesota, I proposed they add Defective Media Retention to the storage arrays for their Health Records Information Management (HRIM) system. Initially there was no interest, but I suggested we consult with their privacy and legal teams to be sure.

The chief legal counsel and chief privacy officer were shocked to learn that any disk drive would leave their facility. The difference in perspective from the datacenter to the c-suite revolved around the risk that defective drives could contain accessible confidential or restricted information. The risk of a breach and subsequent financial losses and public relations damage ultimately outweighed the cost of the service.

These days, encrypting drives has mitigated a portion of this risk, but many organizations still choose to retain their defective media. Why? Sometimes, complying with a specific law or regulation is eased when retaining the media. In addition, some organizations are highly risk averse and feel more comfortable knowing they control the ownership and final destruction of the asset.

Sometimes, data exists on devices where you least expect it. Consider the photocopier, for example.

Unlike the first automated photocopy machine introduced by Haloid Xerox in 1959, today’s machines are more like computers that happen to print and have some sort of hard drive or persistent storage. In fact, nearly every copier made since 2002 has some type of hard drive in it.

What’s on the drives? That depends on the business, but a CBS News Investigation showed it could be anything from criminal records to Social Security numbers to patient medical histories. All this data would be considered privacy restricted but was obtained easily (and legally) by purchasing used copiers with full hard drives and deploying easily obtained tools. Simply removing and destroying the drives would have kept the data confidential.

This month, as we consider a multitude of cybersecurity topics, don’t forget the devil is in the details. Asset Lifecycle Management considerations should be part of your overall cybersecurity plan. After all, hoping no one discovers social security numbers on a discarded storage device is not a strategy, it’s a risky bet.     

Patrick Schmidt is a Technology Lifecycle Management Specialist with LRS IT Solutions. For more than 23 years, he has been helping customers get a firm grasp on their asset and contract management with a combination of comprehensive service level analysis and lifecycle management best practices.