Welcome to the ninth issue of ISO 17799 News, designed to keep you abreast of developments and news with respect to ISO17799 and information security.
The newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents.
Included in this edition are the following topics:
DISPOSAL OF OLD OR OBSOLETE EQUIPMENT
"Equipment owned and/or used by the organization should only be disposed of in accordance with approved procedures including independent verification that the relevant security risks have been mitigated".
This is a policy that addresses with issues that should be considered when disposing of old computer hardware, either for re-cycle/scrap or use by others. An example of a security risk involved is that the hard disk inside a unit has not been completely or properly wiped out. A practical example of this is old EPOS equipment: old credit card information is saved onto the hard disk and if not erased properly prior to being disposed of could easily be accessed. In this scenario, a retailer with an EPOS system has a legal and ethical duty to its consumers to protect their data from fraudulent use.
When implementing a policy on the disposal of old computer equipment, a wide variety of issues and scenarios need to be considered, such as
- Legacy data from old systems can still remain accessible and thus compromise the confidentiality of information.
- The disposal of old equipment can prevent the restoration of its associated data files on which you may be relying.
- Breaches of health and safety requirements threaten the well-being of your staff and render you liable to prosecution.
- Inadequate planning for the disposal and upgrade of entire systems can threaten business continuity and result in severe loss.
- Equipment used periodically but infrequently may be disposed of accidentally.
- During the legitimate disposal of unwanted equipment other items can be 'lost' or stolen.
If any of these issues sound far fetched, think again. Our incident archive is packed with examples of serious problems resulting from uncontrolled disposal.
This topic is dealt with in various sections of ISO17799, including 7 and 8.