(re) blog: dialogue with Redemtech

When developing ITAD processes, understanding the world in which that process will operate is critical to achieving asset security.  A great way to do this is to remember the concept of process durability.  By starting to identify potential sources of process failure, one is forced to clarify the world in which the process lives. A durable process’s design has considered the environment in which they will operate and has accounted for it.

ITAD data destruction and sustainability is a point of policy confluence where taking a broader view of secondary impacts, can deliver positive results in all aspects of the triple bottom line.  By focusing on methods that maintain functionality, policies around data destruction can enable broader social, financial, and environmental benefits.

You know, I always had disdain for the professors in high school and college who based part of their grade on whether or not you did your homework. It seemed like a way for them to look good without having to really validate the student’s knowledge of the material. I always felt homework was a means to an end. Shouldn’t I truly be scored on the end and not the means?  (In case you haven’t inferred it, I was not a fan of homework.)

I like statistics. They always come through. Absolute truth is not easily obtained, but you can always count on statistics to help you gain insight. In our recent Earth Day survey, we asked respondents questions designed to measure their awareness around the issues associated with e-waste. The results were encouraging.

Many states have data breach laws that protect consumers from healthcare providers, credit card companies, or banks being irresponsible with their personal data. If your bank has a lax corporate data security policy, they will be required to admit their sins. But, what is your personal data security policy? We don’t have government regulators requiring we handle our personal data responsibly. We alone are responsible for having a data security strategy.

If you are a Risk Manager and you’ve not met your IT Asset Manager, you should.  You should become one of their best friends…get on each other’s Christmas card list.  Why?  Because when you do, you’ll find an ally that is itching to make your job easier.  You’ll find someone who has been trying (and trying, and trying) to get senior leadership to understand that IT Asset Management is more than just keeping an inventory.  It’s about maximizing the return on technology investments and (more importantly to you) it’s about using process and data to mitigate data breach risk.

Recently, I listened to comments from Ron Ross, a Senior Computer Scientist with NIST.  In this roundtable discussion, Ross connects the dots between risk management and complexity.  Ross is the chief author of Special Publication 800-53, NIST’s security controls guidance; so he ought to know a thing or two about mitigating risk.

As IT security and risk management professionals look at how best to address the complications that the impending wave of BYOD (a.k.a. Consumerization) brings; they will have to sell end-users on one idea, compromise.

I recently came across a presentation recording by computer-security expert Bruce Schneier where he discusses the security biases all people have and how these various biases can prevent us from truly improving our security. Schneier is known for his writings on Security Theater; things that make us feel more secure, while not necessarily making us more secure.

I was recently asked to write a briefing document for use by a customer in their internal deliberations around methods for data destruction. They were debating which data security process would best ensure satisfaction of their Health Insurance Portability and Accountability Act (HIPAA) regulatory obligations, and asked that I discuss the compliance implications of physical destruction of hard drives versus overwriting.