Information Security

by Andy Taylor

Getting rid of information

When considering information security, it is vital the whole of the lifecycle of the information is considered. It starts with how it is created, then stored and processed and, finally (and most often forgotten), how it is destroyed or otherwise disposed of.

Stories (not always apocryphal!) abound of hard drives from computers bought on E-bay with vast quantities of personal information still stored on them, of filing cabinets bought at second-hand office furniture stores and found to have secret files in the bottom drawer, of paper files of hospital patients’ details found in a sack on a roundabout, having fallen out of a van belonging to the contractor supposedly removing classified waste for secure disposal. The stories go on and on and yet it seems we are reluctant to learn from these mistakes.

It is foolish to think that just because you have finished with a piece of information there is no longer any value in it. It is also foolish to think that no one else would be interested in the information you are throwing away. On a personal level, we have all been warned repeatedly about identity theft and told to shred relevant information when no longer required.

This becomes even more important when an organisation is dealing with other people’s information or information that could cause embarrassment if someone inappropriate were to access it. It is therefore vital that the disposal of information should be considered as part of the overall information management system.

Safe disposal or deletion

It is a fairly obvious requirement that obsolete paper records should be shredded. It could be very sensible to provide shredders for staff to use before the scraps are taken away for recycling or other disposal. Good quality shredders can also be used for CDs and credit cards and this, again, could be a sensible precaution.

Deleting electronic files is a different problem. It is often said that once a file or piece of information is put onto the internet it will never be deleted – copies of it will be available for many years to come, if not forever. It is also sometimes said that once information is available on the internet, the originator has lost ownership of it. While there will be legal experts who challenge that view, there is no doubt that it is very difficult to control information put onto the internet.

Mention is made elsewhere in this section about the risk of allowing equipment to be taken off-site before it is properly cleared of all information. Deleting a file on a computer does not actually remove the data that file contains. All it does, in effect, is to remove the address of the information. If that address can be reconstructed (through any number of freely-available utilities designed for this purpose), then the information can be recovered, often very easily. Encrypting information on computers makes it more difficult to recover and, for more sensitive or valuable information, this may be the option to choose.

This is not just a matter of computers. Other devices, such as fax machines, photocopiers, printers and the commonplace multi-function devices (MFD), often contain hard drives that store the information put into them. There can be serious security issues if the organisation leases such devices, needs them repaired or wishes to dispose of them. With MFD in particular, the hard drive may contain huge quantities of information. It is likely that a very capable device may have the capacity to store up to half a million documents which have been processed by the machine as a printer, fax or scanner. If that MFD is then taken away for repair or for sale as used equipment, its hard drive will still be in situ and so will all the documents it stores. In organisations where security is a very high priority, it is common to have devices crushed by a specialist disposal company when they have reached the end of their useful life.