OH: City's computer disposal might pose data-theft risks

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.dispatch.com/live/content/local_news/stories/2011/05/02/computer-disposal-might-pose-risks.html?sid=101

By Doug Caruso
THE COLUMBUS DISPATCH
May 2, 2011

Columbus could be placing sensitive data in danger of theft when it 
retires old computers, a security expert warned.

The city's Department of Technology receives guarantees from its 
computer-disposal vendor that hard drives and other data-containing 
computer parts have been destroyed. But city technicians keep no record of 
what they have taken out of service and sent for destruction, The Dispatch 
learned through a public-records request.

That makes it difficult to ensure that all the retired equipment has been 
disposed of properly, said Gene Spafford, a Purdue University professor 
who is executive director of the school's Center for Education and 
Research in Information Assurance and Security.

"If they don't have positive tracking between tracking what's in the 
system and tracking what's being disposed of with one-to-one matches of 
serial numbers, it's possible for someone to steal the equipment without 
anybody knowing about it," Spafford said.

The city government, which handles income-tax records and medical records, 
among other sensitive data, has never lost any of it, said Gary Cavin, the 
city's technology director.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/