[Dataloss] hard drive destruction

DAIL, ANDY ADAIL at sunocoinc.com
Wed Aug 16 14:45:40 EDT 2006 

Very excellent points. 

This whole security and accountability issue adds a new level of
complexity to outsourcing and offshoring IT capabilities.  Data breaches
aside, when SoX moves from 404 to 409, I cannot help but wonder how some
business entities will demonstrate compliance, when all of their
physical data handling occurs outside of their physical control.  It is
deceptively easy to comply with security requirements on paper.

Of course The Information Security ISO 17799 and ISO 27001 will add
additional levels of complexity.  The combination of executive
accountability (in terms of actually going to jail) for financial data,
and the vulnerability of personal data (often stored on the same
systems) will make the next 5 years.... Interesting.



Andy Dail
Sunoco PCI Project Manager



-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Al Mac
Sent: Wednesday, August 16, 2006 12:53 PM
To: dataloss at attrition.org
Subject: Re: [Dataloss] hard drive destruction


I agree that it is best to have professionals do the obliteration,
because
most businesses do not have personnel with relevant skills and check
lists
to take care of all computers they done with.  However, there needs to
be
certification that the professionals actually do what they contracted to
do.

There have been breaches where some computer trade-in place was supposed
to
wipe disk on the old system, then the used market gets the confidential
data not erased.  The computer trade-in place had dropped the ball.

This also applies to passing old company computers to employees, or
sales
direct to other companies who accept hand me down equipment.  There have

been breaches in that area also.

Al Mac


_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss Tracking more than 142 million compromised
records in 303 incidents over 6 years.



This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.

More information about the Dataloss mailing list