NASA Audit Underscores Need for Secure Disposal of Information Technology Equipment

ATLANTA, GA - A recent audit report by a NASA Inspector General (IG) highlights the importance of a secure end-of-service policy and practices related to Information Technology (IT) equipment, according to Blancco, the global leader in data erasure and end-of-lifecycle solutions.

The audit revealed shortcomings in sanitization and disposal processes for electronic media that led to release of 10 computers slated for resale, nine of which may have contained sensitive Space Shuttle-related data. These findings prompted the IG to recommend stricter procedures, including a recommendation that requires a separate, offline verification sampling of excess IT equipment to ensure data is gone a very costly process in certain situations.

While the IG recommends offline verification testing for 20% of media slated for reuse or disposal, in practice this methodology requires manual labor and is often cost prohibitive, especially when a high sampling rate is involved, said Markku Willgren, president of US Operations for Blancco.

Rather than sampling just a percentage of devices after the fact in an offline mode, for complete security, organizations need failsafe, auditable processes that can thoroughly erase 100% of data from all decommissioned computers, and also log results for each computer before it is disposed and leaves the premises. These processes should utilize networked tools that not only erase multiple drives at once, but also log detailed erasure results for each computer and report them to a central database in an online mode.

The IG's report identified that the four NASA centers under review either failed to verify data removal, did not notify managers when computers contained data after verification testing, used unapproved sanitization software, or used approved software for sanitization that did not verify erasure status, such as freeware and firmware-based tools. In addition, the centers introduced additional risk by removing hard drives from computers prior to disposal. To address issues raised by the IG and implement secure end-of-service processes, Willgren suggests the following:

Implement a failsafe end-of-service policy that logs sanitization results of every hard drive slated for reuse or disposal, not just a sampled percentage.

Require a computer generated verification report for every sanitized hard drive. Use this report to signal that an asset is now safe to release for disposal, reuse, or resale.

Use a certified data erasure tool that automates the verification process, generates detailed erasure reports with hardware serial numbers, and adheres to major industry standards or certifications for data removal such as NIST, DoD, and Common Criteria.

Never remove a working hard drive from a device before it is erased. While this seems convenient, it poses the risk of a loose drive with sensitive data that is easily lost. Only grant permission for drive removal once a successful erasure log is recorded to a database.

Require contractors to perform a sample offline recovery attempt, for example, for every 500th computer sanitized, to provide additional assurance and verify erasure tool performance.

Blancco is the proven data erasure solution for millions of users around the globe. As the global leader in data erasure and end-of-lifecycle solutions, Blancco offers the most certified data erasure solutions within the industry.