Even at their most basic, information security programs are complex and include a seemingly endless combination of controls to detect, prevent and respond to data loss. The overlay of privacy mandates – some imposed by law, others by contract or internal data retention policies – further complicates the role of information security personnel. An organization’s sensitive data, for example, must be protected against all enemies. That is until it is no longer needed or no longer lawful to retain. Then, that very same data must be eliminated effectively.
Although most companies are mindful of the need to sanitize data when repurposing or disposing of technology (a situation familiar to all technology refresh programs), many fail to recognize where all of their sensitive data resides. Consider for example that the Federal Trade Commission (FTC) felt the need to release guidance in 2017 solely dedicated to digital copier data security. As the FTC pointed out, “Digital copiers often are leased, returned and then leased again or sold. It’s important to know how to secure data that may be retained on a digital copier hard drive, and what to do with a hard drive when you return a leased copier or dispose of one you own.” Now consider how the FTC’s caution about copiers might apply to entirely outsourced infrastructures where sensitive data routinely rests on leased and often re-assigned third-party systems.