Naturally, your data destruction policy must handle media leaving the control of your company differently than media simply being reused internally. However, even then, different procedures may apply for media used by different departments. The general rule for the disposal of any data, even when media is reused internally, is that simple deletion and overwriting of data is not enough.
When reusing media, you must create processes whereby your company wipes the old data, validates the data is gone and media can be reused, and then documents the completion of the process. Only upon completion of these steps should you release the storage media for reuse.
Things get more complex with media that leaves the control of your company. Whether you are destroying your old media or reselling it to another party, your data destruction policy must require additional processes. Your policy has to cover the purging and destruction of data and sometimes the physical destruction of media.
But how much destruction is enough?
Gone, Baby Gone
In developing and implementing your data destruction policy, you face the challenge of coming up with a level of destruction that is appropriate for your company's particular situation. Simple deletion and overwriting of data on media your company is retaining and reusing may be appropriate in some instances. In other situations, you may require the total physical destruction of your media that may include disintegration, shredding, incineration, pulverization, or melting your media.
Whether your company is obligated to take certain steps in destroying your data really depends on the laws, rules, or regulations that regulate your company. Regulated industries have requirements in place through a variety of sources. For example, depending on your industry you may have to look to Sarbanes-Oxley, Graham-Leach-Bliley, the Fair and Accurate Credit Transactions Act, or HIPAA for guidance. These laws may say you need to keep your data for a certain period. Check with your tech attorney who can provide guidance on what laws, rules, and regulations apply to your company's situation.
If you are not heavily regulated, you can look to some of the other destruction standards out there. The U.S. Department of Defense standards and methods might be good places to start, but do not forget other sources. Look to international, national, state, and local laws, rules, and regulations for guidance. Look also to international standards such as the National Institute of Standards and Technology's "Guidelines for Media Sanitization."
After your review of the applicable laws, rules, and regulations, you need to add steps to your data destruction policy. Your data destruction policy needs to address how to classify and handle each type of data residing on your media. Your policy needs a process for the review and categorization of the types of data your company has and what kinds can be removed. Classifications and contents of your data will also play a role. Data and media containing confidential information, trade secrets, and the private information of your customers requires the strictest controls and destruction methods. Data and media containing little to no risk to your company may have relaxed levels of control and destruction.
Sign up for CIO Asia eNewsletters.