Opinion: Data Security Tips for CIOs

Security issues are on the minds of all CIOs these days. Whether the CIO of a 1,300-student liberal-arts college or that of a 13,000-employee Fortune 100 company, never before has the issue of data security been more important.

Besides a record-breaking year of data breaches, legislation such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA mandates new security protocols that must be followed or violators face severe penalties.

At Catawba College, network, computer and information security concerns have been a major focus of our information technology work for the past several years, as evidenced by our campus-wide 802.1x network authentication and our CatNet Connect process to clean and secure student computers before allowing them to connect to the residence hall network.

As we faced the prospect of a hardware refresh for about 500 personal computers on campus, it was only natural for us to be concerned about how to dispose of the outgoing equipment in a secure and environmentally friendly way.

For the environment’s sake-and to benefit the community-we decided to donate our used equipment to a local organization that trains middle school and high school students to refurbish computers, which are then donated to needy families. From an information security perspective, it was essential that we ensure all confidential data was completely eliminated from the hard drives in a manner that would preserve the drives.
As we investigated ways to completely remove the data from hard drives in a nondestructive manner, we immediately eliminated two options-degaussing and mechanical destruction-because both failed to meet our reusability criteria. The magnetism of degaussers destroys the read/write head, rendering the hard drive inoperable. And mechanical destruction is very harmful to the environment because it requires drives to be ground into tiny pieces, releasing a variety of toxic chemicals.

Although they passed the reusability test, the software overwrite methods we had traditionally been using to clear hard drives fell short in some key areas. First, these methods are labour-intensive and very time-consuming. A typical 120GB hard-drive triple-overwrite process can take four hours or longer to complete and the process must be physically monitored for security purposes.

Second, these methods lacked the level of automated logging that we required. For information security and auditing purposes, it was imperative that the hard-drive sanitization procedure be completely documented, without exception, and without the possibility for error.

Ultimately, we chose the Digital Shredder, from Ensconce Data Technology. The Digital Shredder is about the size of an average suitcase, has a familiar touch-screen interface and accommodates up to three hard drives. It sanitizes drives by activating the Secure Erase technology built into the hard drives by the manufacturer.

Secure Erase is a very fast method of nondestructive drive sanitization. It is defined by NIST SP 800-88 as “purge” technology and is recommended as the best nondestructive method available for sanitizing hard-drive data. Security measures include three independently locking hard-drive bays, as well as detailed audit logs.

And printed certification labels are produced automatically upon a successful sanitization, which provides an easy way to inventory and track our drives. And the Digital Shredde’s reformatting and image capability allows our IT staff to quickly and easily apply the standard software install to machines when receiving new hard drives or redeploying hard drives throughout the network.

Although our major technology refresh is now behind us, the many lessons we learned during the process have paid numerous dividends, including piece of mind for data security and the satisfaction of doing our part in helping others, as well as protecting the environment.

Joanna Jasper, CIO, directs the information technology programs at Catawba College in North Carolina. Previously, Jasper was an assistant director of business computing at Wake Forest University and a senior software engineer for a higher-education enterprise resource planning software vendor.

Related content:

Top 10 security traps

Access policies can unlock database value

Security expert lauds Newfoundland’s response to data breach

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now